MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:39:17

@MobilXperts Admin has joined the channel

jaimin.s (jaimins@gmail.com)
2016-07-22 20:39:18

@jaimin.s has joined the channel

Jonathan Henson (jon@1fixpc.com)
2016-07-22 20:39:18

@Jonathan Henson has joined the channel

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:39:56

Odd. Did Sentry 7.6+ lose it’s ability to trust multiple CAs?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:40:24

7.6: • Support for multiple trusted root certificates for device authentication

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:41:15

Ah, gotta concatenate.

jaimin.s (jaimins@gmail.com)
2016-07-22 20:55:50

You got multiple CA's deployed as a configuration?

jaimin.s (jaimins@gmail.com)
2016-07-22 20:55:58

Or Added in the "Trusted Root Certs"?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:56:08

Testing w/ Multiple CAs

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:56:20

Built 2, adding them both to 1 Sentry

jaimin.s (jaimins@gmail.com)
2016-07-22 20:56:34

What's the need for multiple CAs?

jaimin.s (jaimins@gmail.com)
2016-07-22 20:56:45

One root CA won't work?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:57:33

No specific reason ATM - But I’ve dealt with shops that wanted a different CA for each type of service - e.g Email, Tunnel, WiFi, etc

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:57:47
jaimin.s (jaimins@gmail.com)
2016-07-22 20:58:48

Instead of doing it on the Sentry why not push it on to the device as configuration item.

jaimin.s (jaimins@gmail.com)
2016-07-22 20:58:56

That way more granular control over who gets what

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:59:16

Well, that’s the other half of it

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 20:59:47

But if they are using one Sentry for more than one purpose with different issuing CAs, then this would accommodate that

jaimin.s (jaimins@gmail.com)
2016-07-22 21:00:13

Ahh gotcha

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:00:19

It’s like

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:00:24

Our Cisco ASAs

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:00:42

We issue WiFi Identity Certs from multiple Cores (DEV/QA/PROD)

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:01:13

and the ASA needs to be able to trust a cert/build VPN from any of the CAs sitting on each Core

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:01:41

So in that case, we provide each CA identity up to the Cisco ASA

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:02:35

In this case, I’m basically doing the same thing - Saying I’ve got one Sentry, but it could accept connections from devices using other environments, etc

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:02:39

It’s kind of sweet

jaimin.s (jaimins@gmail.com)
2016-07-22 21:03:03

Gotcha gotcha

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:04:12

I think the best use case would be what I mentioned up above.. I’ve got a DEV Core where I’m testing XYZ, but need to point the device to a single Sentry that has access to the web server/email server I’m trying to test, etc.

jaimin.s (jaimins@gmail.com)
2016-07-22 21:05:23

Makes sense

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:05:43

Or something. Probably best discussed over beer

jaimin.s (jaimins@gmail.com)
2016-07-22 21:07:19

@jaimin.s uploaded a file: Spotted cow and commented: Cooling in the fridge

jaimin.s (jaimins@gmail.com)
2016-07-22 21:14:08

From our call, a quick summary, the issue was the devices on the internal "m' wifi network (I think that's the name) would fail to get the keberos token and no requests were seen on the KKDCP.

After multiple test scenarios, we found that since the device was not using an external DNS (i.e. google 8.8.8.8), instead used their normal Blackstone DNS server, the device never resolved the KKDCP and therefore never sent traffic to it.

Once we manually added an external DNS server to the device, it then was able to resolve the KKDCP and authenticate to the target web site.

So the next steps will be Jaimin and team will try to add the Srv records to their DNS server to see if that will also work.

On the Mobileiron side, we will be following up with engineering/dev to reconfirm what we are seeing is the expected behavior or not.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:15:24

Okay - So was the device able to communicate with a DC from the WiFi segment it was on?

jaimin.s (jaimins@gmail.com)
2016-07-22 21:15:47

yep - on the one where we didn't restrict 88 it was

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:15:48

Hence eliminating the need for a proxy?

jaimin.s (jaimins@gmail.com)
2016-07-22 21:15:57

So that confirms the original thought we had

jaimin.s (jaimins@gmail.com)
2016-07-22 21:16:44

yes

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:17:01

But what they are indicating is that the proxy is needed regardless - Right?

jaimin.s (jaimins@gmail.com)
2016-07-22 21:17:12

But we want all of the devices going through the KKDCP vs. devices hitting the KDC directly

jaimin.s (jaimins@gmail.com)
2016-07-22 21:17:18

Correct

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:18:22

I think that’s going to jack with other devices looking up the _Kerberos SRV records internally. Not a big deal if you don’t mind them using the Proxy, but they’ll definitely be heading that way

jaimin.s (jaimins@gmail.com)
2016-07-22 21:19:19

We'll limit it so that only the devices on the M network go through that DNS which have the proxy defined.

jaimin.s (jaimins@gmail.com)
2016-07-22 21:19:36

And the M network is exclusive to mobile devices

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:19:44

Nice

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:19:53

Lucky you’re in a position to do that

jaimin.s (jaimins@gmail.com)
2016-07-22 21:20:08

After a lot of head butting, finally convinced them.

jaimin.s (jaimins@gmail.com)
2016-07-22 21:20:11

Not so @ Kindred?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:22:00

Just don’t have the resources/time in that department

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-22 21:22:12

They’re almost continually playing catch-up

jaimin.s (jaimins@gmail.com)
2016-07-22 21:23:05

Dang

braddle (ben.raddle@atkearney.com)
2016-07-26 18:18:13

@braddle has joined the channel

clappa00 (alex.clapp89@gmail.com)
2016-07-26 18:18:13

@clappa00 has joined the channel

jonboulos (jdboulos@gmail.com)
2016-07-27 15:21:30

@jonboulos has joined the channel

japple (jeffapple@yahoo.com)
2016-07-27 15:21:31

@japple has joined the channel

onires53 (jason.r.serino@gmail.com)
2016-07-27 15:21:31

@onires53 has joined the channel

thebjohn (brandonjohnson518@gmail.com)
2016-07-27 15:21:31

@thebjohn has joined the channel

matt.proudfoot (matt.proudfoot@gmail.com)
2016-07-27 15:21:32

@matt.proudfoot has joined the channel

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-07-27 15:21:51

Anyone presently working w/ iOS SSO/Kerberos Proxy?

braddle (ben.raddle@atkearney.com)
2016-08-08 16:01:22

Is it possible to force iOS update thru MI using Core 8.5 on premise?

onires53 (jason.r.serino@gmail.com)
2016-08-08 16:08:45

The way you would like.... No. However you can set your minimum iOS version to the latest version through your security policy and that would be a rude way of forcing people to update. 😉

braddle (ben.raddle@atkearney.com)
2016-08-08 16:18:12

Thanks Onires53 much appreciated

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-15 17:30:36

@channel - Anyone know if applying a Label in Core based on DEP Profile is possible? Looking at the 9.1.0.0 preview and I still don’t see anything in there for that.

jaimin.s (jaimins@gmail.com)
2016-08-16 16:56:59

Have you guys ran in to this issue?

User goes to MI App Store - Requests App - The "Requesting.." pop up shows, then disappears and nothing happens.

On iOS.

thebjohn (brandonjohnson518@gmail.com)
2016-08-16 16:58:37

Clear browser cache and try again. You are talking about the Apps@Work web clip?

jaimin.s (jaimins@gmail.com)
2016-08-16 16:58:46

Yes

jaimin.s (jaimins@gmail.com)
2016-08-16 17:00:07

Did that and re-enrolled device, and check the provisioning profiles.

jaimin.s (jaimins@gmail.com)
2016-08-16 17:00:12

Let me check the MDM logs

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 17:07:27

What's the device say on the console log from XCode or Configurator?

jaimin.s (jaimins@gmail.com)
2016-08-16 17:44:04

Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuer_parent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad MobileSafari[228] <Error>: SecTrustEvaluate [root AnchorTrusted] Aug 16 11:43:16 Jaimins-iPad ondemandd[161] <Error>: -[ODRBackgroundMaintenance startBackgroundMaintenanceOperations]

jaimin.s (jaimins@gmail.com)
2016-08-16 17:45:33

Not really telling - I've seen this before if there is an existing version installed, however not the case this time.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 17:46:15

Odd. What do the MDM logs say for this device?

jaimin.s (jaimins@gmail.com)
2016-08-16 18:43:07

sigh....

jaimin.s (jaimins@gmail.com)
2016-08-16 18:43:16

When will people stop touching my lab env

jaimin.s (jaimins@gmail.com)
2016-08-16 18:43:22

Lead pulled the MDM cert

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 18:43:28

Ah… Really!?

jaimin.s (jaimins@gmail.com)
2016-08-16 18:43:28

As**Hol

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 18:43:33

WTF

jaimin.s (jaimins@gmail.com)
2016-08-16 18:43:37

DEV

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 18:43:41

Of all the things to not dick with

jaimin.s (jaimins@gmail.com)
2016-08-16 18:43:41

Not prod thank god

jaimin.s (jaimins@gmail.com)
2016-08-16 18:44:00

Yeah I had a sit down

jaimin.s (jaimins@gmail.com)
2016-08-16 18:44:17

But i still have 100 device in DEV that now need to be re-enrolled

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 18:44:19

😀 🔫

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 18:44:44

Yeah, expiration on Apple’s side is one thing.. yanking it from the Core is another

jaimin.s (jaimins@gmail.com)
2016-08-16 18:45:03

"I was troubleshooting enrollment...."

jaimin.s (jaimins@gmail.com)
2016-08-16 18:45:06

Dawg....

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 18:45:40

I’m just going to suggest a demotion here, you know… to help troubleshoot the overall issue

jaimin.s (jaimins@gmail.com)
2016-08-16 18:45:56

sigh

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-08-16 18:52:58

http://gph.is/28SC6Ui

Giphy
👍 jaimin.s
dustinclark (dustinclark916@gmail.com)
2016-09-09 20:34:59

@dustinclark has joined the channel

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-13 21:07:08

Anyone know if it’s possible to allow MobileIron Core to authenticate using UserID or Email address?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-13 21:07:27

I recall this worked back in the day, but I think it has since been removed

jaimin.s (jaimins@gmail.com)
2016-09-13 21:08:07

User ID +Pin is possible

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-13 21:08:36

I need Email or SAMAccountName for DEP and Secure Sign-In

jaimin.s (jaimins@gmail.com)
2016-09-13 21:09:14

Ahh

onires53 (jason.r.serino@gmail.com)
2016-09-13 21:46:23

Yeah. That limitation does stink but understandable for DEP. I was pushing for PIN based registration until I found that out at MFC this year.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-13 21:54:26

Have you tested PIN-based DEP enrollment @onires53? Didn't think it existed

onires53 (jason.r.serino@gmail.com)
2016-09-13 22:12:46

No it doesn't exist. Now that we are DEP, pin based is out of the question.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-13 22:14:47

Yeah, that makes sense. PIN based registration is a MobileIron protocol, not Apple.

jaimin.s (jaimins@gmail.com)
2016-09-16 04:03:16

How are you guys handling disabled AD accounts and retiring devices?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-16 04:56:02

That Assemble script that's out there on the MI repository

thebjohn (brandonjohnson518@gmail.com)
2016-09-16 12:48:54

@jaimin.s: We use what @MobilXperts Admin mentioned. We are configured to retire any device that has not checked in for 60 days + every Sunday afternoon. And then we have Core configured to delete retired devices daily for devices that have been retired for 1 day

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-16 13:06:59

Good approach, @thebjohn

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-16 13:10:36

In terms of Audit, do you just reference the Assemble/Core logs for the retire/delete actions?

jaimin.s (jaimins@gmail.com)
2016-09-16 13:48:51

#splunk

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-16 13:49:33

#Splunk #FTW

jaimin.s (jaimins@gmail.com)
2016-09-16 13:50:00

Greedy bastards though

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-16 13:51:09

they tryna get that 💸?

jaimin.s (jaimins@gmail.com)
2016-09-16 13:52:11

/giphy cash money

jaimin.s (jaimins@gmail.com)
2016-09-16 13:52:17

Wow

jaimin.s (jaimins@gmail.com)
2016-09-16 13:52:26

Giphy knows I'm indian

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-16 13:53:35

Hahahaha

thebjohn (brandonjohnson518@gmail.com)
2016-09-16 14:02:26

Haha

thebjohn (brandonjohnson518@gmail.com)
2016-09-16 14:02:55

We reference Core logs yes @MobilXperts Admin

👍 MobilXperts Admin
thebjohn (brandonjohnson518@gmail.com)
2016-09-28 18:37:45

Has anyone ran into any issues with Enterprise WiFi and iOS 10 devices? We are having a lot of users losing internal wlan connectivity. We haven't been able to reproduce on any of our iOS devices though.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-28 18:54:50

Hmm - We haven’t approved iOS 10, but on our test devices we’ve had success thus far

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-28 18:54:56

No drop-outs like you describe

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-28 19:57:52

Been able to capture any device logs from the individuals reporting it? Guessing not since they are remote

thebjohn (brandonjohnson518@gmail.com)
2016-09-28 20:48:04

Not yet. We are gathering User Id's reporting this to see if it's hardware specific.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-28 21:38:06

Yeah - that’s an odd one. The last thing in the world I’ve seen during a Mobile OS upgrade is an issue w/ drivers or hardware connectivity

thebjohn (brandonjohnson518@gmail.com)
2016-09-28 22:31:15

Possible a SCEP/Cert issue coincidental, looking into it

MobilXperts Admin (mobilxpertsslack@gmail.com)
2016-09-28 22:43:35

Ahh, the plot thickens

runderwood (runderwood71@gmail.com)
2016-10-25 16:17:04

@runderwood has joined the channel

macbentosh (benbergthold@gmail.com)
2017-05-10 17:12:09

@macbentosh has joined the channel

macbentosh (benbergthold@gmail.com)
2017-05-18 20:24:04

Anyone seen this?

macbentosh (benbergthold@gmail.com)
2017-05-18 20:24:29
MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-18 20:26:06

Yes. Polaris needs access out to validate the embedded license

macbentosh (benbergthold@gmail.com)
2017-05-18 20:26:27

ok so from MI to where?

macbentosh (benbergthold@gmail.com)
2017-05-18 20:26:38

or from the device

macbentosh (benbergthold@gmail.com)
2017-05-18 20:29:06

Is that lic bundled with our MI package?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-18 20:35:08

Yes. The ACLS/urls are in the knowledge base articles.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-18 20:35:19

I'm away from the keys ATM

macbentosh (benbergthold@gmail.com)
2017-05-18 20:45:16

not finding anything

macbentosh (benbergthold@gmail.com)
2017-05-18 20:59:41

anyone have any good handouts or what on how you sell this to your Doctors/users?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-18 21:30:58

In terms of Docs@Work?

macbentosh (benbergthold@gmail.com)
2017-05-18 21:32:53

mobileiron

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-19 12:32:33

To answer your question from yesterday @macbentosh -

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-19 12:33:10
macbentosh (benbergthold@gmail.com)
2017-05-19 18:02:51

yea I found that

macbentosh (benbergthold@gmail.com)
2017-05-19 18:03:05

is the Lic included with our Docs@ work from MI?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-19 18:42:05

MI Licenses Polaris for D@W across the board. It isn’t broken up individually for each customer

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-19 20:54:03

So, to answer your question - Yes, it is included in your Docs@Work license from MI

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-19 20:54:15

Sorry - Forgot to send that earlier

macbentosh (benbergthold@gmail.com)
2017-05-19 23:28:56

anyone doing the 9.0.2 update?

macbentosh (benbergthold@gmail.com)
2017-05-19 23:33:38
MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-19 23:39:01

We will be next week. I'll check which specific version of 9 we have pending install

thebjohn (brandonjohnson518@gmail.com)
2017-05-20 00:03:22

We got our QA boxes up to 9.0.2 this week

onires53 (jason.r.serino@gmail.com)
2017-05-20 00:05:49

We are getting ready to put one of our QA Sentry's up to 9.1 beta. Excited for ActiveSync v16 support and the ability to point to multiple Exchange environments with a single Sentry.

👍 MobilXperts Admin
thebjohn (brandonjohnson518@gmail.com)
2017-05-20 00:08:11

I believe 8.5 supports AS16

thebjohn (brandonjohnson518@gmail.com)
2017-05-20 00:08:18

And O365

onires53 (jason.r.serino@gmail.com)
2017-05-20 00:10:11

It does support it but downgrades the protocol. We already on O365 so we are good there. The full v16 support, supposedly comes on 9.1. Calendar attachment support. 😎

👍 MobilXperts Admin
thebjohn (brandonjohnson518@gmail.com)
2017-05-20 00:10:45

Ahh right on

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-20 18:49:58

Yeah, calendar attachment support will be handy to have. Eliminates a hell of a lot of pre-meeting emails.

thebjohn (brandonjohnson518@gmail.com)
2017-05-22 15:37:49

Anyone here dabbled into AppleTv configurations with Apple Configurator and Mobile Iron?

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-22 15:51:51

Not yet. What specifically are you working towards?

thebjohn (brandonjohnson518@gmail.com)
2017-05-22 16:01:28

Basic configuration capabilities. I'm having issues with Configurator not recognizing the enrollment profile and trust profile that was exported

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-22 16:02:57

Interesting. Coming from a Core w. the usual settings (Publicly trusted SSL certs, etc)?

thebjohn (brandonjohnson518@gmail.com)
2017-05-22 16:10:37

Correct

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-22 16:33:05

If you attempt the same approach and load that same MDM management profile to Configurator for an iOS device--Does it behave any differently? Curious if it is anything specific to the AppleTV component, or just Configurator not playing well with that Core in general

thebjohn (brandonjohnson518@gmail.com)
2017-05-22 16:50:02

Haven't tried that yet. I know "official" AppleTV support is in 9.4, so I might look at upgrading our test environment, then trying again

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-22 16:51:46

Yeah - I hate blasting a box just to try a preview version, only to have to blast it again to go to the GA release

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-22 16:52:06

Suppose it depends how soon you need results

thebjohn (brandonjohnson518@gmail.com)
2017-05-22 16:56:15

I plan on waiting. GMRC for 9.4 was available last week, so it's only a matter of days until the official release

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-05-22 17:03:47

Ah, nice. I missed that notification upon arrival back. Email avalanche

macbentosh (benbergthold@gmail.com)
2017-06-08 22:24:20

anyone able to help with a per app vpn or app specific tunnel?

thebjohn (brandonjohnson518@gmail.com)
2017-06-08 22:29:59

Possibly. What's up

macbentosh (benbergthold@gmail.com)
2017-06-08 22:30:40

when I add a new vpn config and select the connection type as mobileiron tunnel i can not select a sentry

thebjohn (brandonjohnson518@gmail.com)
2017-06-08 22:43:03

Core or Cloud? Version?

macbentosh (benbergthold@gmail.com)
2017-06-08 23:15:04

any issues using the same scep cert for apptunnel and tunnel?

jaimin.s (jaimins@gmail.com)
2017-06-08 23:16:22

No - downside is if you were to make changes to the cert both services would be impacted.

macbentosh (benbergthold@gmail.com)
2017-06-19 16:32:27

docs@works folks?

macbentosh (benbergthold@gmail.com)
2017-06-19 16:32:50

see anything weird as to why this isnt working for a docs@work config?

macbentosh (benbergthold@gmail.com)
2017-06-19 16:32:51

AUTOFILL_CREDENTIALS : {“default”:“cmc\$USERID$“}

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-08-07 21:43:03

@here FYI update your DEP tokens after upgrading to MobileIron Core 9.5, if you are coming from version 8.x.

If you’ve generated new tokens since upgrading to Core 9.x, you should be good. However, if going from 8.x to 9.5, you’ll need to renew them once the upgrade has completed.

MobilXperts Admin (mobilxpertsslack@gmail.com)
2017-08-07 21:45:42
Eric Deason (eric.deason@kindred.com)
2017-09-11 18:41:54

@Eric Deason has joined the channel

Alex Mercer (alexandra.e.mercer@gmail.com)
2017-09-11 18:44:17

@Alex Mercer has joined the channel

Woody (eric.woodland@trust.tc)
2017-09-11 22:26:28

@Woody has joined the channel

Woody (eric.woodland@trust.tc)
2017-09-13 18:21:11

@Jonathan Henson did you receive confirmation if the M@W 9.5.0.0 client addressed the issue you were seeing with LG v20 units in Android Enterprise?

Jonathan Henson (jon@1fixpc.com)
2017-09-13 18:22:49

I haven't reached out for confirmation. Working through audit issues this month and the workaround of setting a password on the AFW container has kept the three problem devices working.

👌 Woody
Woody (eric.woodland@trust.tc)
2017-09-13 18:23:56

Nice to hear there wasn’t too much grumbling about the password on the AE profile, at least for now.

Woody (eric.woodland@trust.tc)
2017-09-13 18:29:26

Hopefully you can remove the requirement once you’ve had time to test the newer client

Simon Hardy-Bistagne (simon@smnhdy.com)
2017-09-13 19:34:32

@Simon Hardy-Bistagne has joined the channel

Jason Bayton (jason@bayton.org)
2017-09-13 21:00:16

@Jason Bayton has joined the channel

Martin Cygan (martin@mobileiron.com)
2017-09-14 00:45:26

@Martin Cygan has joined the channel

aaron (aaron@groundctl.com)
2017-09-14 01:27:37

@aaron has joined the channel

Ash Armitt (ashleyarmitt@gmail.com)
2017-09-14 04:56:32

@Ash Armitt has joined the channel

Darryl Miles (darryl_miles@au1.ibm.com)
2017-09-14 08:04:37

@Darryl Miles has joined the channel

Duncan (duncan@govalux.com)
2017-09-17 14:31:10

@Duncan has joined the channel

macbentosh (benbergthold@gmail.com)
2017-09-19 15:02:39

anyone know a way to make a label based on an app inventory

thebjohn (brandonjohnson518@gmail.com)
2017-09-19 15:08:50

Hmm, unless a custom attribute could be created to identify a specific app in which you can then apply to the label, I’m not sure

macbentosh (benbergthold@gmail.com)
2017-09-19 15:24:13

i wish like in jamf I could advertise configurations in the apps at work

👍 Woody
macbentosh (benbergthold@gmail.com)
2017-09-19 15:24:29

like click here to get your wifi setup.

Woody (eric.woodland@trust.tc)
2017-09-20 16:14:43

I do like the idea of that @macbentosh

Woody (eric.woodland@trust.tc)
2017-09-20 16:16:51

Perhaps that would be more of a workflow via ServiceNow than something offered directly inside Apps@Work

Woody (eric.woodland@trust.tc)
2017-09-20 16:17:25

I do think long-term it would make sense to have a “Services” sub-menu, etc.

Woody (eric.woodland@trust.tc)
2017-09-20 16:18:23

@macbentosh you could probably assign a label based on App identifier (bundle ID) inside Assemble

macbentosh (benbergthold@gmail.com)
2017-09-20 17:15:16

I keep hearing this assemble. Never used it.

Woody (eric.woodland@trust.tc)
2017-09-20 17:18:19

Powerful stuff. I’ll get a link

thebjohn (brandonjohnson518@gmail.com)
2017-09-20 17:38:40

Powerful when it actually works with latest Core releases 👍:skintone2:

Jason Bayton (jason@bayton.org)
2017-09-20 21:17:30

Used it a couple weeks back for a LDAP migration. Retire & Delete user for anyone in a particular label was incredible.

macbentosh (benbergthold@gmail.com)
2017-09-20 21:22:29

well I’d like to give it a try

Duncan (duncan@govalux.com)
2017-09-20 21:25:19

Is there a kind of repository of MI Assemble scripts for various purposes? (I’m not such a fan of reading the API guides, rather play around with examples)

macbentosh (benbergthold@gmail.com)
2017-09-25 17:17:50

Anyone know how to check history of an exchange server going down…Had one have an issue on Saturday and server team is blaming mobileiron for the issue.

macbentosh (benbergthold@gmail.com)
2017-09-25 17:17:55

Logs only show today

Woody (eric.woodland@trust.tc)
2017-09-25 17:19:56

Sentry could have if it were configured to offload, but it does not natively retain anything that far back.

Woody (eric.woodland@trust.tc)
2017-09-25 17:20:18

I’m curious - Why are they blaming MobileIron for taking down their server? That’s kind of absurd.

macbentosh (benbergthold@gmail.com)
2017-09-25 17:20:53

users were prompted for password

Woody (eric.woodland@trust.tc)
2017-09-25 17:21:52

Due to re-install of an Exchange configuration? So, is that the team’s way of saying their back-end CAS servers aren’t capable of handling the load?

macbentosh (benbergthold@gmail.com)
2017-09-25 17:22:13

they took both CAS servers out at the same time

Woody (eric.woodland@trust.tc)
2017-09-25 17:22:28

For maintenance, etc?

macbentosh (benbergthold@gmail.com)
2017-09-25 17:23:39

updates

Jason Bayton (jason@bayton.org)
2017-09-25 17:24:24

I'm lost - so are they saying MI took the CAS down when they obviously did themselves or ..?

macbentosh (benbergthold@gmail.com)
2017-09-25 17:25:19

they say the 2 were never down together

Woody (eric.woodland@trust.tc)
2017-09-25 17:25:36

Is there a LB in front of the 2 CAS servers?

Woody (eric.woodland@trust.tc)
2017-09-25 17:25:56

Perhaps it failed to perceive that Server A was back up before they rebooted Server B

macbentosh (benbergthold@gmail.com)
2017-09-25 17:26:29

No MI doing to the LB

Woody (eric.woodland@trust.tc)
2017-09-25 17:27:46

So, the first thing I would do (if I were the owner of a CAS server before rebooting server B) is check Server A to see if loads of incoming sessions were arriving from the Sentry appliance. If not, I wouldn’t reboot Server B

Woody (eric.woodland@trust.tc)
2017-09-25 17:28:18

So, they failed to ensure that Server A was functioning correctly prior to the reboot of server B. I still say it’s not your problem

👍 jaimin.s
macbentosh (benbergthold@gmail.com)
2017-09-25 17:49:19

2017-09-24 05:00:27,281 WARN [AppServer.recordFailureEvent:362] (Thread-HC-fch1095.cmcinet.org) (,,,,,,,,,,,) Ignoring failure event for server fch1095.cmcinet.org:443 already in dead state.

Woody (eric.woodland@trust.tc)
2017-09-25 17:50:06

Right. So Sentry never perceived Server A to be back online

Woody (eric.woodland@trust.tc)
2017-09-25 17:50:48

So before rebooting Server B they should have checked connections, noticed it was receiving none and reached out to you

macbentosh (benbergthold@gmail.com)
2017-09-25 18:40:42

its odd thought I can’t catch the 2 marked down together

thebjohn (brandonjohnson518@gmail.com)
2017-09-26 14:47:43

Anyone using S/MIME with iOS and per message S/MIME configs via Mobile Iron?

Woody (eric.woodland@trust.tc)
2017-09-26 16:03:11

Sorry, @thebjohn. Not an area I’ve dealt with lately. @here - Anyone able to chime-in on S/MIME?

thebjohn (brandonjohnson518@gmail.com)
2017-09-26 16:05:06

It would seem that files sent via encrypted email will not decrypt it iOS 11 in native mail, can’t open on other apps either, like Pages or Docs@Work. I downloaded public Microsoft Word, will load there after confirming recover contents of document as Word found unreadable content

macbentosh (benbergthold@gmail.com)
2017-09-26 21:24:41

so any new ideas on how to make a label based on installed app

macbentosh (benbergthold@gmail.com)
2017-09-26 21:24:54

need users to get a new wifi policy when they install vocera

macbentosh (benbergthold@gmail.com)
2017-09-26 21:25:00

needs to get on our voice network

thebjohn (brandonjohnson518@gmail.com)
2017-09-26 21:26:38

Is it published via your company AppStore?

macbentosh (benbergthold@gmail.com)
2017-09-28 23:07:59

yes

Woody (eric.woodland@trust.tc)
2017-09-29 15:03:23

So @macbentosh you want them to get the WiFi -only- if they’ve installed the app? Not just generally available if they’re someone who’s eligible for the app?

macbentosh (benbergthold@gmail.com)
2017-09-29 16:06:04

I have an ent. wifi label. If someone installs an app that requires the ent. prod network i want them added to that label.

Woody (eric.woodland@trust.tc)
2017-09-29 16:12:47

Another Task that Assemble could handle

Woody (eric.woodland@trust.tc)
2017-09-29 16:13:06

If app “insert bundle ID here” is installed, assign Corporate WiFi Label

macbentosh (benbergthold@gmail.com)
2017-09-29 16:14:44

how do i get assemble!?

macbentosh (benbergthold@gmail.com)
2017-09-29 16:31:26

see that’s what no one can answer..:(

Woody (eric.woodland@trust.tc)
2017-09-29 19:15:32

It’s published in the community

Woody (eric.woodland@trust.tc)
2017-09-29 21:31:42

Here’s the beginning of the rule you’d be looking to craft, sans assign of label:

👀 Jason Bayton
Woody (eric.woodland@trust.tc)
2017-09-29 21:31:44

[RuleNum] numberofrules=1 sleeptime=20 delimeter=, appnames=anyconnect

[Rule1] NumberofElements=1 Action=report ActionReason=installed appname anyconnect

reportsend=yes reportname=MobileIronanyconnectreport reportlocation=C:\MobileIron\Reports\ reportmessage=appname anyconnect reportvar=uuid,principal,emailAddress,manufacturer,ModelName,modeluniversal,appsmanagedstatus,apps_version

Element1trigger=app:installed Element1description=installed appname anyconnect Element1operator=equals Element1source=local Element1_value=anyconnect

👍 Jason Bayton
❤️ Jason Bayton
👀 Jason Bayton
Woody (eric.woodland@trust.tc)
2017-09-29 21:32:41

Instead of report, you’d assign label for that particular WiFi config

macbentosh (benbergthold@gmail.com)
2017-10-04 16:22:20

How does one go about restricting registration to devices with 9.3.5+

Jason Bayton (jason@bayton.org)
2017-10-04 16:36:54

I don't see an option in core to disable based on version. You could disable iOS all together? ;)

Woody (eric.woodland@trust.tc)
2017-10-04 16:47:12

You’d need something like BYODPortal, @macbentosh

Woody (eric.woodland@trust.tc)
2017-10-04 16:48:16

The M@W Agent/iOS MDM don’t drill for a version of iOS at that point in the registration, so the only means you have to prevent a device from enrolling is to detect the browser agent details and stop it there

macbentosh (benbergthold@gmail.com)
2017-10-05 20:49:14

anyone else seeing VPP issues

macbentosh (benbergthold@gmail.com)
2017-10-05 20:49:35

@macbentosh uploaded a file: Untitled

Jason Bayton (jason@bayton.org)
2017-10-05 20:50:46

Have you got multiple vpp in your core?

Jason Bayton (jason@bayton.org)
2017-10-05 20:50:51

Accounts**

macbentosh (benbergthold@gmail.com)
2017-10-05 20:51:02

no

Jason Bayton (jason@bayton.org)
2017-10-05 20:52:11

I'm seeing the appid issue with another customer, but they had multiple vpp trying to push the same apps to the same people.

Jason Bayton (jason@bayton.org)
2017-10-05 20:52:31

Have you done anything externally with vpp? Configurator or anything?

macbentosh (benbergthold@gmail.com)
2017-10-05 20:52:49

they were supervised with configurator

macbentosh (benbergthold@gmail.com)
2017-10-05 20:52:54

like they always have been

Jason Bayton (jason@bayton.org)
2017-10-05 20:53:29

Fine, I'll assume you've not just recently added your dep/vpp account to configurator

macbentosh (benbergthold@gmail.com)
2017-10-05 20:53:45

no it is just used to supervise

Jason Bayton (jason@bayton.org)
2017-10-05 20:54:55

Hm. I've had this in AirWatch and reuploading the stoken sorted it, but doesn't give you any RCA.

Jason Bayton (jason@bayton.org)
2017-10-05 20:55:17

Take it the token hasn't expired.

macbentosh (benbergthold@gmail.com)
2017-10-05 20:55:39

it we try and try it goes…hit or miss..right now three devices 2 got M@W and not rover 1 got Rover but not M@W

macbentosh (benbergthold@gmail.com)
2017-10-05 20:55:54

token has 320 days

Jason Bayton (jason@bayton.org)
2017-10-05 20:56:58

Can you telnet out to Apple servers without any problems? See if it's not network related.. otherwise I can't think of much else off the top of my head.

Jason Bayton (jason@bayton.org)
2017-10-05 20:57:19

MICs logs giving you anything more interesting to go off?

macbentosh (benbergthold@gmail.com)
2017-10-05 20:57:35

telnet to what address?

jaimin.s (jaimins@gmail.com)
2017-10-05 20:57:47

VPP service is down for us as well

jaimin.s (jaimins@gmail.com)
2017-10-05 20:58:27

Can't get to portal or login via configurator

Jason Bayton (jason@bayton.org)
2017-10-05 20:58:40

Oh goody..

macbentosh (benbergthold@gmail.com)
2017-10-05 20:58:50

im on the portal

jaimin.s (jaimins@gmail.com)
2017-10-05 20:59:15

Last I checked was 30 mins ago

macbentosh (benbergthold@gmail.com)
2017-10-05 20:59:18
Jason Bayton (jason@bayton.org)
2017-10-05 20:59:19
macbentosh (benbergthold@gmail.com)
2017-10-05 20:59:50
macbentosh (benbergthold@gmail.com)
2017-10-05 21:00:32

i connect just fine over telnet

Jason Bayton (jason@bayton.org)
2017-10-05 21:45:27

If VPP is down it wouldn't make any difference anyway.. was just a thought 🙂

macbentosh (benbergthold@gmail.com)
2017-10-05 23:35:35

still down…

macbentosh (benbergthold@gmail.com)
2017-10-06 22:03:00

Anyone here from kaiser?

Jason Bayton (jason@bayton.org)
2017-10-09 08:52:58

Has anyone seen the m@w agent resetting after enrolment in iOS 11 on core 9.5?

Jason Bayton (jason@bayton.org)
2017-10-09 08:53:41

Like, finish enrolment, quit out of the agent, go back in and it's acting like it's never been enrolled.

Woody (eric.woodland@trust.tc)
2017-10-09 15:05:16

I have not @Jason Bayton, but can test/check around.

👍 Jason Bayton
❤️ Jason Bayton
macbentosh (benbergthold@gmail.com)
2017-10-09 17:06:59

well looks like vpp is having issues again.

😭 Woody
macbentosh (benbergthold@gmail.com)
2017-10-09 17:07:07

@macbentosh uploaded a file: Untitled

Woody (eric.woodland@trust.tc)
2017-10-09 18:31:22

In case you’re using Azure AD and looking to integrate with MobileIron Cloud - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-mobileiron-tutorial

docs.microsoft.com
David Larrea (david@larreaonline.com)
2017-10-12 18:55:20

@David Larrea has joined the channel

Russell Mohr (rmohr@mobileiron.com)
2017-10-12 19:05:24

@Russell Mohr has joined the channel

HackediOS (info@hackedios.com)
2017-10-12 20:20:34

@HackediOS has joined the channel

Martin Cygan (martin@mobileiron.com)
2017-10-13 16:48:46

Guys, there will be an Update soon. With the integration of the Zimperium SDK we will be able to detect a rooted/jailbroken device even before enrolling to EMM. The Mobile@Work client will alarm the user and admin immediately. Hope you like it!

👏 Woody
Jason Bayton (jason@bayton.org)
2017-10-13 17:02:07

@Martin Cygan Go or M@W first? Which respective version?

Also, any date commitment for targeting API26 for Android? Work-managed work profile support hinges on it!

Martin Cygan (martin@mobileiron.com)
2017-10-13 17:06:28

Μ@W first, then GO. Expect this year ;-) Sorry, can not make commitments on dates in a public channel, hope you understand this.

Jason Bayton (jason@bayton.org)
2017-10-13 17:09:19

No harm in trying ;)

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 18:05:22

@Kiran Patel has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 18:07:45

@Martin Cygan pretty excited about the Zimerpium integration into the M@W client

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2017-10-13 18:07:47

game changer

Martin Cygan (martin@mobileiron.com)
2017-10-13 18:16:34

Me too. This is something new to the Mobile Space.

Bastian (bastian@i211.de)
2017-10-13 18:56:48

@Bastian has joined the channel

Volker Weber (vowe@vowe.net)
2017-10-13 19:06:24

@Volker Weber has joined the channel

Danijel Stanic (danijel@stanic.org)
2017-10-13 19:39:58

@Danijel Stanic has joined the channel

Jason Bayton (jason@bayton.org)
2017-10-13 19:41:29

I set up a PoC with Tunnel as an always-on VPN in an Android enterprise work profile this afternoon. About 25 mins from creating a Sentry VM and it was up and running. Working really nicely too!

👏 Woody
Martin Cygan (martin@mobileiron.com)
2017-10-13 19:43:47

Thx for sharing. Expect same experience for macOS later this year ;-)

Jason Bayton (jason@bayton.org)
2017-10-13 19:45:02

What a coincidence, there's a shiny, new, yet to be unboxed MBP in my case here I'm looking forward to cracking open when I land back in Wales later tonight :)

😅 Martin Cygan, Woody
Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:30:50

Hopefully Core 9.6 adds some more macOS mgmt features 🙂

Martin Cygan (martin@mobileiron.com)
2017-10-13 20:33:27

@Kiran Patel Oh yes it will. Is there anything special you need?

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:33:38

not really - we have 4 macs

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:33:41

but it's exciting to see

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:33:42

LD

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:33:45

:D**

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:34:09

I'm excited for the Graph API stuff

Martin Cygan (martin@mobileiron.com)
2017-10-13 20:38:55

Kiran, if you are a customer, I hope you have access to the Beta-Portal?

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:44:14

I do

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:44:20

thanks for checking Martin

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:44:27

Just no time to build out a new env

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:44:36

wish i should patch update my lab env and not have to blow it away with every day

Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:44:57

I gave that feedback to Lucky and the eng team there the last time I was at HQ. Hopefully they support that soon

Martin Cygan (martin@mobileiron.com)
2017-10-13 20:46:57

Yes this is something we can improve, let me reach out to Lucky too to follow up.

❤️ Jason Bayton, Kiran Patel, Woody
Kiran Patel (kiran@kiranpatel.net)
2017-10-13 20:53:53

Thanks!

Manju (mbhat123@gmail.com)
2017-10-14 17:48:27

@Manju has joined the channel

NicolasR (raison_nicolas@me.com)
2017-10-14 23:45:01

@NicolasR has joined the channel

Angela (angi.szabo@gmail.com)
2017-10-15 09:22:52

@Angela has joined the channel

Jason (jasonh@bridgeway.co.uk)
2017-10-15 11:25:01

@Jason has joined the channel

Fabian (mobilxperts@neokortex.de)
2017-10-15 14:27:28

@Fabian has joined the channel

RobE (robert.kreuzer@outlook.com)
2017-10-15 18:36:38

@RobE has joined the channel

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-16 09:54:42

@Ole Schulenburg has joined the channel

Dominik (domi0815@gmail.com)
2017-10-16 15:55:45

@Dominik has joined the channel

Woody (eric.woodland@trust.tc)
2017-10-16 16:06:36

@here Of those using #mobileiron, who’s using On-Premise Core, Dedicated Core, Connected Cloud (Legagy) or MobileIron Cloud?

Woody (eric.woodland@trust.tc)
2017-10-16 16:06:46

*Thread Reply:* Let’s try using a thread for the responses 🙂

macbentosh (benbergthold@gmail.com)
2017-10-16 16:06:58

*Thread Reply:* On prem

Woody (eric.woodland@trust.tc)
2017-10-16 16:07:44

*Thread Reply:* Single Core, HA, Multiple Cores for different purposes @macbentosh?

macbentosh (benbergthold@gmail.com)
2017-10-16 16:08:16

*Thread Reply:* single core

macbentosh (benbergthold@gmail.com)
2017-10-16 16:08:26

*Thread Reply:* 5 HA sentry

Jason Bayton (jason@bayton.org)
2017-10-16 16:14:21

*Thread Reply:* On-prem & Cloud, single cores though have done a few HA + cold DR too

Woody (eric.woodland@trust.tc)
2017-10-16 16:14:50

*Thread Reply:* @macbentosh are you running Email/Tunnel on all 5 Sentrys?

Woody (eric.woodland@trust.tc)
2017-10-16 16:15:08

*Thread Reply:* Curious how many folks combine services these days

macbentosh (benbergthold@gmail.com)
2017-10-16 16:15:27

*Thread Reply:* 1 non kerb sentry 2 kerb email and 2 app sentry

👌 Woody
Kiran Patel (kiran@kiranpatel.net)
2017-10-16 16:16:10

*Thread Reply:* On prem

Kiran Patel (kiran@kiranpatel.net)
2017-10-16 16:16:41

*Thread Reply:* 2 Cores, 10 Sentry appliances globally

👌 Woody
Woody (eric.woodland@trust.tc)
2017-10-16 16:19:23

*Thread Reply:* @macbentosh why the need for the non-KCD Sentry? Folks that haven’t yet migrated, accessing EAS manually, etc?

macbentosh (benbergthold@gmail.com)
2017-10-16 16:19:46

*Thread Reply:* we had an issue with shared devices and the kerb serts

macbentosh (benbergthold@gmail.com)
2017-10-16 16:19:48

*Thread Reply:* certs

macbentosh (benbergthold@gmail.com)
2017-10-16 16:20:12

*Thread Reply:* we also use it for additional accounts. assistants who want their email and their boss

macbentosh (benbergthold@gmail.com)
2017-10-16 16:20:26

*Thread Reply:* Kerb doesnt work for additional accounts

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-16 16:22:51

*Thread Reply:* OnPrem, CLOUD (we are a MI partner so we have both)

NicolasR (raison_nicolas@me.com)
2017-10-16 16:23:48

*Thread Reply:* Same as Ole, both Cloud, CORE + Connected Cloud, Hosted CORE for our customers

Kiran Patel (kiran@kiranpatel.net)
2017-10-16 16:15:57

On Prem

} Eric Woodland (https://mobilxperts.slack.com/team/U70Q65NQY)
Fabian (mobilxperts@neokortex.de)
2017-10-16 16:24:21

We have > 200 Hosted Cores + > 300 Hosted Sentries, 2 own MobileIron Cloud Clusters and many more stuff on premise 🙂

👍 RobE, Woody, Russell Mohr
macbentosh (benbergthold@gmail.com)
2017-10-16 16:28:57

@Fabian how many devices!?

Fabian (mobilxperts@neokortex.de)
2017-10-16 16:30:02

In total somewhere above 200k, not counting the AirWatch customers

macbentosh (benbergthold@gmail.com)
2017-10-16 16:30:16

wow

Fabian (mobilxperts@neokortex.de)
2017-10-16 16:31:24

Not that different to a single environment. It's just mainly much more automation 🙂

Kiran Patel (kiran@kiranpatel.net)
2017-10-16 16:34:07

@Fabian I'm guessing you work at an MSP?

Fabian (mobilxperts@neokortex.de)
2017-10-16 16:34:38

What's MSP? Microsoft Partner?

Kiran Patel (kiran@kiranpatel.net)
2017-10-16 16:34:50

Managed Service Provider

Kiran Patel (kiran@kiranpatel.net)
2017-10-16 16:35:12

or are you in house at a firm - if so that is a massive deployment!

Fabian (mobilxperts@neokortex.de)
2017-10-16 16:36:43

The first one - we are a company shaped around mobile enterprise use cases, trying to fulfill all the upcoming needs and therefore provide a wide range of stuff around mobile

Martin Cygan (martin@mobileiron.com)
2017-10-16 17:30:27

If this all would be just one customer, this would be huge :-)

😆 Woody
Florian Moennig (florian.moennig@isec7.com)
2017-10-16 18:33:13

@Florian Moennig has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2017-10-16 18:38:26

@Mark Vonk has joined the channel

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-16 19:47:46

thats quite impressive @Fabian. probably one of the biggest MI Partners 🙂

Jason Bayton (jason@bayton.org)
2017-10-16 19:49:54

@Simon Hardy-Bistagne how does VF compare at the moment?

Simon Hardy-Bistagne (simon@smnhdy.com)
2017-10-16 19:51:12

*Thread Reply:* Dependa what section/area you're looking at and from what angle... to work for, or as a customer?

Jason Bayton (jason@bayton.org)
2017-10-16 19:52:30

*Thread Reply:* MobileIron hosted server count in the German DC I mean.. :)

Simon Hardy-Bistagne (simon@smnhdy.com)
2017-10-16 20:00:21

*Thread Reply:* From a platform technology perspective it's a stable and up to date offering at the core. Biggest issues through are around deployments of the UEM componants and managing non ios or Android devices. The "offering" as a product just hasn't been looked after properly.

😢 Jason Bayton
🤔 Ole Schulenburg
Amine (amine.ayad@gmail.com)
2017-10-16 19:50:01

@Amine has joined the channel

Martin Cygan (martin@mobileiron.com)
2017-10-16 20:56:07

New Posting in #jobhunters btw. Feel free to join the Channel.

macbentosh (benbergthold@gmail.com)
2017-10-16 21:07:35

what does MI consider the gateway

macbentosh (benbergthold@gmail.com)
2017-10-16 21:07:37

WARNING:: MobileIron gateway is unreachable.

Angela (angi.szabo@gmail.com)
2017-10-16 21:27:34

@macbentosh normally it means appgw.mobileiron.com via port 443 you can check the status of the mobileiron services under https://trust.mobileiron.com/ if there isn't any degradation, probably some connection issue within the network between the core and the appgw

trust.mobileiron.com
✅ Jason Bayton, Woody
RobE (robert.kreuzer@outlook.com)
2017-10-17 06:52:12

*Thread Reply:* It would be great if the activation service for Email+ would also be shown on that site - it was down a couple if weeks ago and this would help!

NicolasR (raison_nicolas@me.com)
2017-10-16 21:28:27

199.127.90.0/23 🙂

Angela (angi.szabo@gmail.com)
2017-10-16 21:31:38

you can find more information regarding to the App GW under https://community.mobileiron.com/docs/DOC-4935 🙂

👍 Jason Bayton, Woody
jake (jake.woodhams@gmail.com)
2017-10-17 03:49:56

@jake has joined the channel

Joe Dickey (joe@groundctl.com)
2017-10-17 05:01:39

@Joe Dickey has joined the channel

Marco Foellmer (marco.foellmer@ebf.de)
2017-10-17 14:32:00

@Marco Foellmer has joined the channel

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 18:21:51

Anyone on-prem MI Core? And if so, running HA? Have a question if so

Woody (eric.woodland@trust.tc)
2017-10-17 18:35:42

*Thread Reply:* Thread-style…

Jason (jasonh@bridgeway.co.uk)
2017-10-17 18:36:29

*Thread Reply:* Fair point. Threading it.

👍 Woody
Woody (eric.woodland@trust.tc)
2017-10-17 18:37:31

*Thread Reply:* Bring it on, @thebjohn

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:01:59

*Thread Reply:* We are troubleshooting an issue with random long HA sync times, like 14-24 hours for Cores with at most 30k devices. We switched NIC on VMs recently as a recommendation by MI, no luck. We are going to test flipping primary to other data enter now in QA to see if that makes a difference. There are a lot of factors here and we are trying to rule out 1 by 1

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:03:22

*Thread Reply:* For more background. (2) environments, both with (2) Cores, (1) in seawater data centers with HA sync set to every 2 hours between the Primary/Secondary. Nightly auto backup runs once every 24 hours as our fallback. Compliance check interval set to run every 12 hours for reference. We also have (3) Assemble jobs that run daily.

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:03:39

*Thread Reply:* Long sync intervals are very sporadic, happening a few times within a week span with no specific times

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:06:10

*Thread Reply:* How annoying. Intermittent issues are always the hardest to track down.

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:06:43

*Thread Reply:* Which version(s) of Core servers?

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:07:08

*Thread Reply:* (And has this been an ongoing problem, or a recent one?)

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:10:41

*Thread Reply:* Currently at 9.4 in Prod and testing 9.5 in QA. Still seeing the issue in QA relative to device count obviously. Normal sync times in QA are about 2 minutes, long ones shoot up to 20, for like 10 devices

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:11:07

*Thread Reply:* We aren’t sure how long honestly. We noticed recently after reviewing logs and sync times just because we wanted an idea

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:13:42

*Thread Reply:* The QA servers in the same DC locations, presumably?

Woody (eric.woodland@trust.tc)
2017-10-17 19:16:31

*Thread Reply:* @thebjohn that is odd. We had 2 Cores with nearly 60k devices syncing in ~1 hour and 45 mins.

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:19:52

*Thread Reply:* Correct @Jason

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:20:08

*Thread Reply:* That is our average time, then have the long ones popping in at random

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:20:45

*Thread Reply:* And the QA servers running on different VM servers, presumably?

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:21:55

*Thread Reply:* I think that your approach is the intelligent one, reducing the factors that could be causing the issue in order to identify the real culprit.

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:25:01

*Thread Reply:* I would be tempted to run the two QA Cores in the same DC, to rule out the wet-string and as many intermediary switches/routers from the equation as possible.

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:25:43

*Thread Reply:* Are you seeing occasional timeouts with your API calls too?

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:25:56

*Thread Reply:* Yes, different VMs but essentially mimic prod so that we can test configurations, upgrades, etc prior to rollout in Prod

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:26:17

*Thread Reply:* With APIs not that I know of

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:26:53

*Thread Reply:* I don’t think we could get ESX hosting to switch the VM to a data center easily as that would require re IPing and all that fun stuff

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:27:29

*Thread Reply:* Specifically different VM physical host servers?

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:27:59

*Thread Reply:* Oh, we have some using vMotion for that, but that’s another story.

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:29:43

*Thread Reply:* The challenge is going to be to consistently replicate the failures in the QA servers - absence of a failure won’t prove absence of a potential issue.

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:31:18

*Thread Reply:* I guess the answer to your question is: no, that shouldn’t happen. Unfortunately, I guess what you really want is the answer to “why does this happen?” and even more so “how do I stop it from happening?” 🙂

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:32:50

*Thread Reply:* Haha, well, that is ideal, but I know this one is going to be tough to crack. We are trying to review network issues, VM hosting and Mobile Iron simultaneously. As you know with any IT organization, they don’t like to be called out for issues, so finger pointing starts

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:36:27

*Thread Reply:* Understood. May I ask that you leave this with me - you’ve piqued my interest on this and I’d like to discuss it with our technical team just to make sure none of us have seen this before and I’m missing something obvious.

Jason (jasonh@bridgeway.co.uk)
2017-10-17 19:37:01

*Thread Reply:* @JaxxUK (hint!)

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 19:46:11

*Thread Reply:* We have a case open with MI, and have for a few weeks but seems to be no end in sight, which is why we are starting to try a few things to see what happens. Any suggestions you may have are greatly appreciated! @Jason

Woody (eric.woodland@trust.tc)
2017-10-17 22:51:11

*Thread Reply:* @thebjohn has MobileIron identified any areas they perceive to be a pain Point?

Woody (eric.woodland@trust.tc)
2017-10-17 22:52:08

*Thread Reply:* I’m curious if it’s taking more time to perform the DB export/zip or if it’s during the transfer process to the secondary, etc.

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 22:58:54

*Thread Reply:* Not yet. The NIC change on the ESX host was their only recommendation thus far

jaimin.s (jaimins@gmail.com)
2017-10-17 23:09:14

*Thread Reply:* I'd check what Jobs are running during synch to see if they can be interfering possibly

jaimin.s (jaimins@gmail.com)
2017-10-17 23:10:37

*Thread Reply:* When was DB clean up done last?

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 23:23:42

*Thread Reply:* We run the standard cleanups for housekeeping quarterly as well as prior to every Core upgrade.

thebjohn (brandonjohnson518@gmail.com)
2017-10-17 23:24:11

*Thread Reply:* It’s hard to catch since we haven’t seen consistent times, to determine what other processes are running.

Fabian (mobilxperts@neokortex.de)
2017-10-18 06:14:01

*Thread Reply:* Perhaps there is some existant debug logging functionality in the appsync script of secondary Core, which could be enabled. If not, I'ld suggest to integrate such logging manually. It is important to understand what takes long, to identify why it takes long.

JaxxUK (paul.jacka@bridgeway.co.uk)
2017-10-18 16:42:48

*Thread Reply:* @thebjohn Quite a while back I have seen a similar issue and spent days searching round. The initial tests I would suggest on your dev environment if that has the issue, capture the port diagnostics and search the PCAP. Wireshark is what my guys used and came up with lots of DB error returns. We ended up as a test backing up the DB and restoring to fresh build of Core. This seemed to resolve in our case.

JaxxUK (paul.jacka@bridgeway.co.uk)
2017-10-18 16:43:10

*Thread Reply:* Apologies if you have already done this.

JaxxUK (paul.jacka@bridgeway.co.uk)
2017-10-18 16:43:36

*Thread Reply:* Infrastructure issues are always the most complex and each department always looks at the others.

Woody (eric.woodland@trust.tc)
2017-10-17 18:35:12

Yes @thebjohn. Very familiar with Core HA

Woody (eric.woodland@trust.tc)
2017-10-17 18:35:22

Want to thread it?

Jason Bayton (jason@bayton.org)
2017-10-17 18:36:56

*Thread Reply:* Like in ms teams, threading is not a default knee-jerk thing to do here. Could be better

Jason (jasonh@bridgeway.co.uk)
2017-10-17 18:37:38

*Thread Reply:* Agreed, but as this grows, so will the difficulty in finding questions/answers, so this makes sense.

Woody (eric.woodland@trust.tc)
2017-10-17 18:37:54

*Thread Reply:* Yeah - Easier to search for a thread and find all associated comments/etc

Woody (eric.woodland@trust.tc)
2017-10-17 18:38:13

*Thread Reply:* Only downside is you can’t drop attachments into threads

Jason Bayton (jason@bayton.org)
2017-10-17 18:39:23

*Thread Reply:* It could be more intuitive

Jason (jasonh@bridgeway.co.uk)
2017-10-17 18:39:33

*Thread Reply:* Yup.

Woody (eric.woodland@trust.tc)
2017-10-17 18:39:53

*Thread Reply:* Agree. I think we’ll see more revisions to it. We’re technically in 1st Gen threading, haha

Jason (jasonh@bridgeway.co.uk)
2017-10-17 18:40:17

*Thread Reply:* Where’s Usenet when you need it, eh?

Jason Bayton (jason@bayton.org)
2017-10-17 18:40:32

*Thread Reply:* Discourse :p

Woody (eric.woodland@trust.tc)
2017-10-17 18:40:39

*Thread Reply:* Slack - The Modern #IRC

Jason Bayton (jason@bayton.org)
2017-10-17 18:42:25

*Thread Reply:* ™

😆 Woody, Jason
Gabor Heinemann (gabor.heinemann@gmail.com)
2017-10-17 18:39:20

@Gabor Heinemann has joined the channel

Robert R. (rr10@gmx.de)
2017-10-17 20:28:05

@Robert R. has joined the channel

Woody (eric.woodland@trust.tc)
2017-10-17 22:53:49

/poll “Do you use MobileIron Access?” “Yes” “No” “Evaluating It” “Considering It”

NicolasR (raison_nicolas@me.com)
2017-10-17 23:09:06

I’ve posted that we are evaluating it: we work on Evals with customers currently

👍 Woody
Marc0R (marco.risati@youco.eu)
2017-10-18 11:05:26

@Marc0R has joined the channel

Woody (eric.woodland@trust.tc)
2017-10-18 15:52:33

@here Anyone here hosting Sentrys in AWS or Azure, by chance?

Woody (eric.woodland@trust.tc)
2017-10-18 15:52:40

*Thread Reply:* Threading this one

Jason Bayton (jason@bayton.org)
2017-10-18 16:01:03

*Thread Reply:* I don't know if current, but we've had Sentry in AWS.

thebjohn (brandonjohnson518@gmail.com)
2017-10-18 16:04:29

*Thread Reply:* All on-prem for us dawg

NicolasR (raison_nicolas@me.com)
2017-10-18 16:06:56

*Thread Reply:* Not yet for us

Fabian (mobilxperts@neokortex.de)
2017-10-18 16:09:19

*Thread Reply:* Standalone Sentry works, but currently only supported for MI Cloud afaik

Woody (eric.woodland@trust.tc)
2017-10-18 16:12:49

*Thread Reply:* That’s accurate, @Fabian. Just completing my first in Azure. Fairly straightforward, though I believe AWS is even easier.

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-18 20:27:59

*Thread Reply:* i am still trying to install a cloud sentry in Azure with arm mode

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-18 20:28:33

*Thread Reply:* if anyone has reliable cli commands in arm mode, let me know 🙂

NicolasR (raison_nicolas@me.com)
2017-10-18 21:16:27

*Thread Reply:* No, I think it is also supported with Core

Woody (eric.woodland@trust.tc)
2017-10-18 22:04:58

*Thread Reply:* @Ole Schulenburg AFAIK all it supports ATM is Classic. Haven’t seen much success on the latter

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-19 07:32:33

*Thread Reply:* well i know. i tried in our environment in asm mode and it worked. but this customer doesn't want to (or cant?) use asm and want to use arm

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-19 07:32:45

*Thread Reply:* anyway i have a set of commands, i will try them and elt you know

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-19 07:32:46

*Thread Reply:* 🙂

Jason Bayton (jason@bayton.org)
2017-10-19 11:05:49

*Thread Reply:* @Ole Schulenburg a set of commands you say? Care to share? 🙂

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-19 11:17:06

*Thread Reply:* yes. if they work i will share them. i am getting around to test them this week. hopefully next tuesday

👍 Jason Bayton, Fabian
JaxxUK (paul.jacka@bridgeway.co.uk)
2017-10-18 16:32:17

@JaxxUK has joined the channel

Miklos Kerekfy (miklos@kerekfy.hu)
2017-10-18 16:41:29

@Miklos Kerekfy has joined the channel

Steffen Schlueter (sschlueter@mobileiron.com)
2017-10-19 13:55:48

@Steffen Schlueter has joined the channel

macbentosh (benbergthold@gmail.com)
2017-10-19 17:59:33

@Woody sitting down with Kevin and Mike talking about it now!

👏 Woody
thebjohn (brandonjohnson518@gmail.com)
2017-10-19 18:18:01

Everyone’s thoughts on the change in leadership at Mobile Iron? Moving their CFO to a CEO role means one thing to me

Jason Bayton (jason@bayton.org)
2017-10-19 18:21:54

*Thread Reply:* Looks like they aren't growing fast enough for investers. Makes sense to put a money man at the top.

👍 Woody
macbentosh (benbergthold@gmail.com)
2017-10-19 18:22:20

*Thread Reply:* what happen

Jason (jasonh@bridgeway.co.uk)
2017-10-19 18:23:31

*Thread Reply:* Having met them both, I understand. Barry was friendly enough, but not the dynamic leader that MobileIron deserves. I think that Simon is the right person for the job - he will do a great job leading them in their next phase of growth, IMHO.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2017-10-19 18:24:13

*Thread Reply:* @macbentosh Barry has left the business. Simon (previously CFO) has taken over.

macbentosh (benbergthold@gmail.com)
2017-10-19 18:24:26

*Thread Reply:* left or "Left"

Jason (jasonh@bridgeway.co.uk)
2017-10-19 18:27:59

*Thread Reply:* I believe the correct phrase is that “he was resigned”…

thebjohn (brandonjohnson518@gmail.com)
2017-10-19 18:28:11

*Thread Reply:* Replaced a people person with a finance guy, my perspective is more focus on bottom line and shareholders vs customers. May be a stretch, but just a perspective

Jason (jasonh@bridgeway.co.uk)
2017-10-19 18:29:43

*Thread Reply:* Bottom line hasn’t been unhealthy, though you could argue that top line hasn’t grown quickly enough. Having met both, in this case I would say that Simon inherited the extrovert genes.

👍 Woody
thebjohn (brandonjohnson518@gmail.com)
2017-10-19 18:33:35

*Thread Reply:* $3.42/share currently

Martin Cygan (martin@mobileiron.com)
2017-10-19 19:12:22

*Thread Reply:* @thebjohn MobileIron will never loose foucs on customers. The product and the company are build up on customers needs!

Martin Cygan (martin@mobileiron.com)
2017-10-19 19:13:05

/poll „Are you coming to MobileIron Live 2018 in Berlin?“ „Yes“ „No“ „Need to think about“

thebjohn (brandonjohnson518@gmail.com)
2017-10-19 19:14:40

I wish

Jason (jasonh@bridgeway.co.uk)
2017-10-19 19:18:40

@Martin Cygan Do we have confirmed dates now?

Martin Cygan (martin@mobileiron.com)
2017-10-19 19:19:51

15.05. Partner Summit, 16./17.05 MobileIron Live

👍 RobE
Jason Bayton (jason@bayton.org)
2017-10-19 19:33:51

*Thread Reply:* I'd certainly like to come to the next one!

Martin Cygan (martin@mobileiron.com)
2017-10-19 19:34:16

*Thread Reply:* So you have not be on the last one?

Jason Bayton (jason@bayton.org)
2017-10-19 19:35:04

*Thread Reply:* None so far, I was at the TPS but haven't ventured over to Berlin as yet.

Martin Cygan (martin@mobileiron.com)
2017-10-19 19:37:47

*Thread Reply:* You should. This is an experience you will never have somewhere else!

Jason Bayton (jason@bayton.org)
2017-10-19 19:41:57

*Thread Reply:* I don't see why I couldn't having the dates this far ahead 😎

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-20 08:34:26

*Thread Reply:* check

Jason (jasonh@bridgeway.co.uk)
2017-10-20 09:07:43

*Thread Reply:* Thanks - see you there!

Martin Cygan (martin@mobileiron.com)
2017-10-20 13:54:18

*Thread Reply:* Cool, see you all there!

Daniel Eiler (mail@danieleiler.net)
2017-10-19 20:14:23

@Daniel Eiler has joined the channel

Dennis Dorst (dennis.dorst@ebf.de)
2017-10-19 20:18:35

@Dennis Dorst has joined the channel

Thomas H. (the@sector27.de)
2017-10-19 20:18:45

@Thomas H. has joined the channel

Roopali (rrao3@woolworths.com.au)
2017-10-20 06:02:47

@Roopali has joined the channel

PD (patrick.dernehl@t-systems.com)
2017-10-20 08:27:32

@PD has joined the channel

Tobias (tobias.gruenewald@ebf.com)
2017-10-20 08:38:46

@Tobias has joined the channel

Jason Bayton (jason@bayton.org)
2017-10-20 12:02:10

Thanks for the release folks, I've been waiting on this for ages 🙂 https://bayton.org/2017/10/mobileiron-officially-supports-android-enterprise-qr-code-provisioning/

Jason Bayton
👍 Tobias, Woody, Russell Mohr, RobE
👏 Woody
Martin Cygan (martin@mobileiron.com)
2017-10-20 13:12:37

Quick announcement, the “Bridge Corner” will go live soon.

👍 Jason Bayton, Woody, RobE
Christian Jucker (christian.jucker@novartis.com)
2017-10-20 15:35:48

@Christian Jucker has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2017-10-20 15:42:22

Great job and thanks for all your efforrts @Jason Bayton and #mobileiron in getting Android QR provisioning. Soon hopefully we can get the same for iOS with the stock camera app now supporting QR codes.

:the_horns: Woody, Russell Mohr
😄 Jason Bayton, aaron
Jason (jasonh@bridgeway.co.uk)
2017-10-20 15:46:09

*Thread Reply:* Why? Isn’t DEP enough for you or do you have another requirement in mind?

jaimin.s (jaimins@gmail.com)
2017-10-20 15:53:47

*Thread Reply:* Can't do DEP on BYOD

👍 Woody, Kiran Patel
Jason (jasonh@bridgeway.co.uk)
2017-10-20 15:55:56

*Thread Reply:* True, good point! 🙂

Jason (jasonh@bridgeway.co.uk)
2017-10-20 15:55:58

*Thread Reply:* Thanks

Jason (jasonh@bridgeway.co.uk)
2017-10-20 16:04:57

*Thread Reply:* Have you tried a QR code for the iReg process? You can generate one with the code and email it to the team, print it out, etc.

Jason (jasonh@bridgeway.co.uk)
2017-10-20 16:06:29

*Thread Reply:* https://<core_fqdn>/mifs/c/i/reg/reg.html

👍 jaimin.s
Jason (jasonh@bridgeway.co.uk)
2017-10-20 16:06:32

*Thread Reply:* For example

Woody (eric.woodland@trust.tc)
2017-10-20 16:12:53

*Thread Reply:* What would be dope is for the QR to include WiFi creds for a provisioning SSID. Curious what the likelihood of that happening is

jaimin.s (jaimins@gmail.com)
2017-10-20 16:14:03

*Thread Reply:* @Jason I believe you can send that QR code in your provisioning email too unless I'm mixing my UEM and MI knowledge.

Jason (jasonh@bridgeway.co.uk)
2017-10-20 16:14:20

*Thread Reply:* Correct.

Jason (jasonh@bridgeway.co.uk)
2017-10-20 16:15:09

*Thread Reply:* Though, that said, I haven’t tried it myself in a while. (Just a tick)

Jason (jasonh@bridgeway.co.uk)
2017-10-20 16:17:01

*Thread Reply:* Yup, as I thought, it’s HMTL, so as long as you can host the image somewhere, you’re good to go.

Jason (jasonh@bridgeway.co.uk)
2017-10-20 16:19:46

*Thread Reply:* @Woody Not sure how you’d include the WiFi creds in a URL exactly, but open to being taught!

Woody (eric.woodland@trust.tc)
2017-10-20 16:21:29

*Thread Reply:* @Jason IDK if it’s possible either, but that would be epic. QR, join the network, install the client, become managed and you’re on your way. Same would be great at the beginning of the DEP wizard

Jason (jasonh@bridgeway.co.uk)
2017-10-20 16:22:23

*Thread Reply:* A sort of or similar format…

Woody (eric.woodland@trust.tc)
2017-10-20 16:23:11

*Thread Reply:* Right

Jason Bayton (jason@bayton.org)
2017-10-20 17:14:12

*Thread Reply:* You can share WIFI over QR, but it's inherently unsecure.

No worries @Kiran Patel, was a lot of fun to work on it 🙂

Jason (jasonh@bridgeway.co.uk)
2017-10-20 17:43:06

*Thread Reply:* @Jason Bayton How would you do that for iOS, please?

Jason Bayton (jason@bayton.org)
2017-10-20 17:47:58

*Thread Reply:* Android/iOS can both read a QR containing WiFi info, but I think a hosted configuration file with a link in the QR is likely the easiest and most secure. I'll see if I can figure something out

👍 Woody, Kiran Patel
Woody (eric.woodland@trust.tc)
2017-10-20 18:11:13

*Thread Reply:* The thought would be to hop them on an isolated ‘Provisioning ’ WiFi segment just for enrolling to MDM, so even if someone deciphered the creds they would have minimal access

Jason (jasonh@bridgeway.co.uk)
2017-10-20 18:12:10

*Thread Reply:* Exactly. Onto a guest wifi, enrol through ireg, job done!

💯 Woody
Kiran Patel (kiran@kiranpatel.net)
2017-10-20 20:56:27

*Thread Reply:* guest wifi + ireg + ideally one time unique for users username and pin in the reg email would be great.

Kiran Patel (kiran@kiranpatel.net)
2017-10-20 20:56:38

*Thread Reply:* Not sure if all of that is technically possible but that's the visition

Barrie Codona (barrie.codona@hotmail.com)
2017-10-20 16:24:24

@Barrie Codona has joined the channel

Ole Schulenburg (ole.schulenburg@lineas.de)
2017-10-20 21:22:15

hi barrie 🙂

Jason Bayton (jason@bayton.org)
2017-10-24 17:35:18

New in MI Go and AtWork, big Android focus:

• Admin’s can disable Unknown Sources device-wide (requires Google Play update)

• Support for Firebase Cloud Messaging

• TeamViewer for Android enterprise (device owner, work profile)

• Work managed device Kiosk mode - added user options for Date/Time and Mobile settings

• Unlock devices now resets password to “0000”

Coming #soon

👏 Woody, NicolasR
Damian (support@expertmobilite.com)
2017-10-24 23:13:57

@Damian has joined the channel

Woody (eric.woodland@trust.tc)
2017-10-25 15:14:42

Anyone using Core to administer iOS MAM? One question: When a device is “retired”, how long does it take to acknowledge the retire and remove the configuration profiles (if at all)?

NicolasR (raison_nicolas@me.com)
2017-10-25 15:44:19

Hi Eric, yes we do 🙂

NicolasR (raison_nicolas@me.com)
2017-10-25 15:44:50

iOS MAM only should use AppConnect

NicolasR (raison_nicolas@me.com)
2017-10-25 15:45:20

if using AppConnect, as everytime you open an AppConnect app you check the status in the MI Client, then it retires the device

NicolasR (raison_nicolas@me.com)
2017-10-25 15:45:24

but

Woody (eric.woodland@trust.tc)
2017-10-25 15:45:29

Right, b/c Core owns/controls the container and if the relationship is severed it will remove, apps as well

NicolasR (raison_nicolas@me.com)
2017-10-25 15:45:49

The iOS profiles and Apps are not removed

Woody (eric.woodland@trust.tc)
2017-10-25 15:45:57

Right

Woody (eric.woodland@trust.tc)
2017-10-25 15:46:11

Scenario I’m testing is native in-house iOS App.

Woody (eric.woodland@trust.tc)
2017-10-25 15:46:38

So what I’m seeing lines-up. No native ability to forcibly remove anything w.o a formal MDM profile

NicolasR (raison_nicolas@me.com)
2017-10-25 15:47:06

As you don’t manage the device, yes, you only work on the AppConnect container

NicolasR (raison_nicolas@me.com)
2017-10-25 15:47:21

you can remove the certificates only if they are in the AppC container

Woody (eric.woodland@trust.tc)
2017-10-25 15:50:32

Right. That makes sense

Woody (eric.woodland@trust.tc)
2017-10-25 15:51:22

I’ll check and see if AppConnect is an option for this scenario. The only components will be Core/M@W/App (Wrapped for AppConnect). Correct?

Fabian (mobilxperts@neokortex.de)
2017-10-25 16:10:12

Basically yes, but there is one more important aspect: How do you ship the InHouse App to the device? This would at least require the Apps@Work Webclip or Apps@Work container App

Fabian (mobilxperts@neokortex.de)
2017-10-25 16:11:03

MobileIron is fine for MAM, when using an MDM profile. I think it's no good MAM without, at least not on iOS.

👍 Woody
Fabian (mobilxperts@neokortex.de)
2017-10-25 16:11:27

You can restrict an MDM profile's permissions accordingly, if user concerns have to be mitigated

Woody (eric.woodland@trust.tc)
2017-10-25 16:11:46

In testing, I pushed the Apps@Work WebClip/Cert and it arrived. That was fairly smooth. App request was fine, but the user Trusting would be perceived as weird.

Woody (eric.woodland@trust.tc)
2017-10-25 16:14:56

That makes sense about using a subset of MDM for “MAM” @Fabian. Issue with what I’m discussing is the devices in question are subcontractors and may already be in a relationship with another MDM

Fabian (mobilxperts@neokortex.de)
2017-10-25 16:19:17

My writing was interrupted by an incoming call... that was what I was writing 😉 - Using MAM without MDM is interesting when you assume there might be another MDM. The other MDM will likely try to prohibit the usage of any 3rd party app authors, unknown profiles, etc. This could in general be a problematic approach.

Fabian (mobilxperts@neokortex.de)
2017-10-25 16:21:42

E.g. if you have a manufacturer of furnuture, which provides some nice Apps for how to arrange these, the furniture shops selling this furtnure would have an intrinsic motivation to distribute such Apps to their employees via their own MDM. The goal of the manufacturer would be achieved, providing the Apps to the customers 🙂

Fabian (mobilxperts@neokortex.de)
2017-10-25 16:21:54

However, less revenue for the MAM provider 😉

Woody (eric.woodland@trust.tc)
2017-10-25 16:25:47

All good points, @Fabian.

Woody (eric.woodland@trust.tc)
2017-10-25 16:27:02

In the use case of AppConnect, would the abilities of the existing MDM profile be limited? Since the entire thing is housed inside Mobile@Work, with the exception of the AppConnect App’s Distibution Profile.

Fabian (mobilxperts@neokortex.de)
2017-10-25 16:30:32

You'ld have Mobile@Work, Apps@Work Webclip, Apps@Work Client Certificate - But what happens when starting the installation of an InHouse App from within Apps@Work? The user would be prompted to trust that developer and install the provisioning profile of the .ipa file. If the existing MDM denies that trust (not sure whether this might be limited to supervised devices only), you cannot install any InHouse App past that MDM.

👍 Woody
Fabian (mobilxperts@neokortex.de)
2017-10-25 16:32:16

However, if you already got Apps@Work Webclip and Client Cert installed on the device, it is very likely that installing the InHouse App will also work 😉

Woody (eric.woodland@trust.tc)
2017-10-25 16:32:28

True!

Woody (eric.woodland@trust.tc)
2017-10-25 16:33:38

So, regardless if you’re using native iOS or AppConnect-wrapped app, you’d still be subject to the same possible scrutiny from a pre-existing MDM’s perspective

Kiran Patel (kiran@kiranpatel.net)
2017-10-25 17:15:08

side question to the topics above... with the ability to specify a cert in the SSO config is there a way around the pesky cert prompt for the Apps@Work WebClip?

Woody (eric.woodland@trust.tc)
2017-10-25 17:16:23

That’s an iOS thing @Kiran Patel. It was gone for awhile and now it’s returned as of iOS 9 or 10.

thebjohn (brandonjohnson518@gmail.com)
2017-10-25 17:19:12

It only prompts once to accept though, unless you clear Safari cache that is, then I believe t will prompt at next launch only once though after accepting, correct?

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2017-10-25 17:21:30

correct and every new device enrollment

👍 Woody
Woody (eric.woodland@trust.tc)
2017-10-25 17:39:03

I do wonder if you installed the CA identity for A@W to the device, if it would prompt. They used to automatically look at what cert the site was calling for and provide it. For whatever reason that was deemed inappropriate or insecure.

Fabian (mobilxperts@neokortex.de)
2017-10-25 18:02:33

It would allow an unknown internet website to query you during the TLS handshake whether you have a client cert of one of the following 50 CAs, for discovering to which enterprise you might belong and deliver malware accordingly. It's kind of DLP, that's ok. But Apple missed to provide a solution for enterprises with EMM...

✅ Woody, NicolasR
Fabian (mobilxperts@neokortex.de)
2017-10-25 18:16:37

Shouldn't we invite someone from Apple in here? 😄

👍 NicolasR
Woody (eric.woodland@trust.tc)
2017-10-25 18:17:52

We’ve got one - @thomrburg. I’ve got another in mind

SebastienP (spernot@gmail.com)
2017-10-25 20:57:22

@SebastienP has joined the channel

NicolasR (raison_nicolas@me.com)
2017-10-25 21:06:07

Hi guys sorry I didn’t took the time to answer about MAM only. Few things:

  • InHouse Apps works fine but requires to manually trust the certificate
  • Apps@work can be installed on the device (even certificate) - via a profile installed through M@W

Cautions:

  • update tab doesn’t work as it leverage apps inventory
  • every policy change or Config change + Core update requires to re-install the Apps@work profile (I didn’t found the way yet to mitigate this)
👍 Woody, Fabian
👏 Woody
Sebastiaan (sebastiaan.smits@dahvo.com)
2017-10-26 16:06:28

@Sebastiaan has joined the channel

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 17:58:45

Core 9.5 testing, on-prem, iOS 11 devices. Testing passcode requirement changes, in particular, changing from 4 to 6 for a particular program. After change, device continuously prompts for new PIN, but can be ignored constantly. Mobile Iron recognizes Passcode Compliant in device details as False, yet after 2 days of check in and Compliance checks, doesn’t flag non Compliant, thoughts?

Woody (eric.woodland@trust.tc)
2017-10-26 19:37:01

*Thread Reply:* Interesting. I honestly don’t know that any of the protocols/values for this age-old setting would/should have changed with iOS 11.

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 19:52:34

*Thread Reply:* That was my thought too, maybe a Core bug?

Woody (eric.woodland@trust.tc)
2017-10-26 19:55:49

*Thread Reply:* Any chance you’re part of the Preview Program? 9.6 (Atlanta) has a lot of iOS 11 improvements

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 19:58:07

*Thread Reply:* We are not

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 19:58:20

*Thread Reply:* ETA still end of November release?

Woody (eric.woodland@trust.tc)
2017-10-26 20:02:19

*Thread Reply:* That’s the general ballpark, yes

Woody (eric.woodland@trust.tc)
2017-10-26 20:03:08

*Thread Reply:* I was also checking the general iOS 11 Compatibility page and saw no mention of something like this: https://community.mobileiron.com/docs/DOC-6671

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 20:05:08

*Thread Reply:* Ya, we are a little baffled on this. Reason I ask is we plan to align all of our programs to a 6-digit minimum, which is lowering Corp stuff from 8 to 6, but upping BYOD from 4 to 6. Need to confirm Core marks as non-Compliant if at 4, but doesn’t seem to be the case in testing in 9.5

Woody (eric.woodland@trust.tc)
2017-10-26 20:40:42

*Thread Reply:* Do you have “policy out of date” compliance actions in place?

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 21:39:05

*Thread Reply:* This may be iOS 11 specific

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 21:40:00

*Thread Reply:* I tested on a 10.3.3 device with only a 4-digit PIN prior to registering. It then gave me continues prompts every 15 minutes when I selected later, but after 1 hour, forced me to change it, expected behavior. iOS 11 device just seems to allow just pressing later

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 21:43:24

*Thread Reply:* Confirming one more time on an 11.0.3 device that this is he case

👍 Woody
Woody (eric.woodland@trust.tc)
2017-10-26 21:50:34

*Thread Reply:* Do you have iOS 11.1 Beta 5-ish to try as well?

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 21:51:32

*Thread Reply:* Not yet. That’s another thing to try

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 21:52:30

*Thread Reply:* I have to test as is first with official releases since we block Betas for Corp and BYOD devices. By block, we have compliance actions, but I’m special and am excluded. Once the hour wait period is up on my 11 device I just re-enrolled, I’ll try a beta release and see

Woody (eric.woodland@trust.tc)
2017-10-26 21:53:16

*Thread Reply:* Roger @thebjohn. Over and out

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 21:54:25

*Thread Reply:* I’ll report back on findings

thebjohn (brandonjohnson518@gmail.com)
2017-10-26 21:55:21

*Thread Reply:* If an iOS 11-11.0.3 bug only, then hooray

🍻 Woody
NicolasR (raison_nicolas@me.com)
2017-11-02 06:34:22

MobileIron will officially support MAM only scenarios! From what I was saying last time we discussed, the prompt for every policy change will disappear !! Great news!!

👍 Jason Bayton, Woody, Jason
Woody (eric.woodland@trust.tc)
2017-11-02 14:10:23

Great news, @NicolasR!

Kiran Patel (kiran@kiranpatel.net)
2017-11-02 21:19:27

@NicolasR when will it be officially supported?

Russell Mohr (rmohr@mobileiron.com)
2017-11-02 21:41:17

Core 9.6

Russell Mohr (rmohr@mobileiron.com)
2017-11-02 21:41:27

GA target 11/15

👍 RobE
Russell Mohr (rmohr@mobileiron.com)
2017-11-02 21:42:04

iOS will require separate Core instance

Jason Bayton (jason@bayton.org)
2017-11-02 21:46:59

Looking forward to the drop @Russell Mohr! Why the separate Core instance?

Russell Mohr (rmohr@mobileiron.com)
2017-11-02 21:50:15

Basically I think its a limitation around how the MDM cert is distributed on Core.

onires53 (jason.r.serino@gmail.com)
2017-11-02 21:55:31

Interesting. The beta definitely has our attention. We are still on 9.4 and decided to hold off on 9.5. 9.6 gives several items we have been anxiously waiting for.

👍 Woody
thebjohn (brandonjohnson518@gmail.com)
2017-11-02 21:59:21

Ya 9.5 broke some stuff for us, so we are holding off until 9.6

thebjohn (brandonjohnson518@gmail.com)
2017-11-02 21:59:53

The MAM only solution still requires a client (Mobile@Work) on the device though correct?

onires53 (jason.r.serino@gmail.com)
2017-11-02 22:02:18

Yeah. Alot of issues with 9.5 so we held off. Only issue for us is that our Andoid O clients cannot get to the Apps@Work store. But we are willing to hold off until 9.6.

NicolasR (raison_nicolas@me.com)
2017-11-02 22:22:06

The test I have done that fixes the issue was done against CORE 9.4 with M@W 9.7 😉

NicolasR (raison_nicolas@me.com)
2017-11-02 22:22:13

and yes seperate CORE instance

Jason Bayton (jason@bayton.org)
2017-11-03 11:39:14

MobileIron Cloud - I've set up a policy for whitelisted applications and want to email administrators when the device(s) fall out of compliance. The policy setup only allows user notification from what I can see. Any hidden options by chance? cc @Woody @Russell Mohr

(I've created a report outputting users in CSV, but this isn't what the customer wants.. )

Russell Mohr (rmohr@mobileiron.com)
2017-11-03 13:30:45

@Jason Bayton no hidden option

Russell Mohr (rmohr@mobileiron.com)
2017-11-03 13:30:58

Best you can do is use scheduled reporting

Russell Mohr (rmohr@mobileiron.com)
2017-11-03 13:31:09

and generate a policy violation report every 4 hours

Jason Bayton (jason@bayton.org)
2017-11-03 13:33:19

*Thread Reply:* :( ok. The report doesn't go into enough detail for the customer.

Russell Mohr (rmohr@mobileiron.com)
2017-11-03 13:34:57

*Thread Reply:* gotcha. I’d like to see this improved too

👍 Jason Bayton
Kiran Patel (kiran@kiranpatel.net)
2017-11-03 13:31:36

Has anyone configured Tunnel with Split Tunneling and using wildcards? We are seeing an issue with users who have a VPN config pushed from MobileIron on the device but have not yet installed Tunnel. Since our root domain is in the VPN config to support split tunneling, they aren't able to get to our public website (which is the same domain name as our internal)

Kiran Patel (kiran@kiranpatel.net)
2017-11-03 13:33:11

@Jason Bayton - MI Cloud doesn't have the "CC to Admins" option that MI Core (On Prem) has?

Jason Bayton (jason@bayton.org)
2017-11-03 13:33:45

*Thread Reply:* Seemingly not, see Russ' reply above.

Kiran Patel (kiran@kiranpatel.net)
2017-11-03 18:34:06

*Thread Reply:* Unfortunate - will be nice once they finally merge the code for the 2 products

thebjohn (brandonjohnson518@gmail.com)
2017-11-03 14:05:47

I think we are seeing the same issue, where we have sites hosted internal and external, but with the same domain identified. We have to start adding individual URLs in each Tunnel sentry for Advance Traffic Control so that it proxy’s that traffic back out.

macbentosh (benbergthold@gmail.com)
2017-11-03 22:02:24

just dep’d through an iphone x…will not connect to mail server…

NicolasR (raison_nicolas@me.com)
2017-11-04 08:53:53

Thanks! But what is correlation between DEP and mail server? :-(

🤔 Woody
Fabian (mobilxperts@neokortex.de)
2017-11-05 14:28:32

Probably a different EAS device type identifier within the initial Options/Foldersync?

Fabian (mobilxperts@neokortex.de)
2017-11-05 14:39:47

@Russell Mohr Will the MAM only be part of Silver, or will it be a dedicated license? I‘ld love seeing it in Silver, not creating any financial barrier towards more sophisticated MDM with current Silver

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:46:44

Pretty sure its silver

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:46:49

need to check

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:46:52

Actually on COre

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:47:02

has to be gold… Appconnect is gold

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:47:19

on Cloud its silver, no AppConnect

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:47:57

on Cloud, its iOS only for the moment, no MobileIron Go app required

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:48:17

On Core, Mobile@Work is required

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:48:49

AppConnect won’t work without the MobileIron agent

Russell Mohr (rmohr@mobileiron.com)
2017-11-05 14:49:59

BTW, how you doing @Fabian? Long time no see! I need to come visit you guys in Koln!

👍 Tobias, Woody
Fabian (mobilxperts@neokortex.de)
2017-11-06 10:57:33

Doing a good job, flooded with orders... By all means sufficient work 👷 You're always welcome 🙂

👍 Russell Mohr
macbentosh (benbergthold@gmail.com)
2017-11-06 18:34:23

anyone doing mam only on cloud

Woody (eric.woodland@trust.tc)
2017-11-07 13:07:11

I haven’t tried it lately @macbentosh. I know it’s a big feature touted in Core 9.6.

macbentosh (benbergthold@gmail.com)
2017-11-07 22:32:30

really? We are being pushed towards cloud for it

Jason Bayton (jason@bayton.org)
2017-11-07 23:53:04

Likely because no one is talking about 9.6 officially yet perhaps?

👍 Woody
Fabian (mobilxperts@neokortex.de)
2017-11-08 06:41:10

MobileIron is in general pushing towards Cloud ;-)

👍 Jason
macbentosh (benbergthold@gmail.com)
2017-11-08 17:59:43

what’s the release date for .6

Martin Cygan (martin@mobileiron.com)
2017-11-08 18:17:35

Expect it soon ;-) GMRC is already out.

Jason Bayton (jason@bayton.org)
2017-11-08 19:49:39

Really? I haven't had an alert since the first beta dropped :p

macbentosh (benbergthold@gmail.com)
2017-11-08 23:47:31

anyone having issues with kcd and iphone x

macbentosh (benbergthold@gmail.com)
2017-11-08 23:47:49

gettting connection to server failed until we reboot.

Fabian (mobilxperts@neokortex.de)
2017-11-09 06:23:34

Not yet - That‘s not related to the initial reports about EAS throttling when iPhone X was released? What does Sentry say?

NicolasR (raison_nicolas@me.com)
2017-11-09 13:56:07

I think there is a global issue with iPhone X...

NicolasR (raison_nicolas@me.com)
2017-11-09 13:56:18

not tested yet unfortunately

NicolasR (raison_nicolas@me.com)
2017-11-09 13:56:21

only iPhone 8...

Woody (eric.woodland@trust.tc)
2017-11-09 15:25:04

Interesting @macbentosh. Curious to hear what the Sentry logs say as well

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 13:43:51

API to force iOS update on supervised devices?

aaron (aaron@groundctl.com)
2017-11-13 14:02:03

On Core? I don’t think that is a supported action in the api.

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 14:29:38

On Core yes, 9.4 at the momen

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 14:29:49

Doing 200/page in the GUI is not ideal

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 14:29:55

For 7,000+ devices

Jason Bayton (jason@bayton.org)
2017-11-13 14:31:01

Assemble, perhaps?

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 14:38:24

That’s what I’m thinking

Woody (eric.woodland@trust.tc)
2017-11-13 15:09:29

Yeah, I’d side with @Jason Bayton and say if anything, Assemble would be the go-to for this request.

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 15:14:49

Much appreciated gents

Woody (eric.woodland@trust.tc)
2017-11-13 15:19:07

It’s items like this that really warrant some sort of easy front-end for the API in Cloud as well (cough Assemble cough)

japple (jeffapple@yahoo.com)
2017-11-13 21:03:44

In regards to “Web Application” deployment via Core. Is there a way to…

  1. Push the “Web application” for deployment
  2. Uninstall the application (outside of unassigning the device or app from a label)
japple (jeffapple@yahoo.com)
2017-11-13 21:13:06

Whelp! Found in the forums that it’s been requested to grant the user the ability to uninstall/remove a web application. Still didn’t find if there was a way to push a web application. Unless there is a way that I can’t find.

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 22:08:43

You mean a WebClip? You can publish WebClipa today

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 22:09:26

They can also be configured table launch in Web@Work if that is your preference

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 22:09:43

To launch** Thank you autocorrect

NicolasR (raison_nicolas@me.com)
2017-11-13 23:15:51

No way to publish web clips on Android... so hard to understand why MI didn’t implemented this...

thebjohn (brandonjohnson518@gmail.com)
2017-11-13 23:20:33

Is it a limitation of Android or Mobile Iron?

Daniel Eiler (mail@danieleiler.net)
2017-11-14 09:03:49

Is there any information from MobileIron regarding iPhone X app (design) updates for Mobile@Work, Docs@Work, Web@Work and especially Email+? There‘s an email+ 2.9 beta but without UI adjustments

Jason Bayton (jason@bayton.org)
2017-11-14 09:12:13

*Thread Reply:* I haven't seen anything as yet? Does it look horrendous? 😄

Daniel Eiler (mail@danieleiler.net)
2017-11-14 09:39:32

*Thread Reply:* There‘s just a lot of black space, not nice if email+ is your daily mail client 😀

Daniel Eiler (mail@danieleiler.net)
2017-11-14 09:40:33

*Thread Reply:* http://d.pr/i/XVSQ3b/CJE078kk

Daniel Eiler (mail@danieleiler.net)
2017-11-14 09:40:54

*Thread Reply:* http://d.pr/i/87eArG/4XtpdA2i

Jason Bayton (jason@bayton.org)
2017-11-14 09:48:22

*Thread Reply:* 😆 I guess it makes sense they hard-code the height? I mean it looks like they have done that at least.

Daniel Eiler (mail@danieleiler.net)
2017-11-14 11:59:29

*Thread Reply:* Last feedback from support: „There will only be a limited difference between iPhone 8 and iPhone X from the apps perspective“

Jason Bayton (jason@bayton.org)
2017-11-14 12:02:49

*Thread Reply:* Well that's fine if the "limited difference" is filling the black bars..

😂 Daniel Eiler
NicolasR (raison_nicolas@me.com)
2017-11-14 10:08:57

MobileIron CORE. CLOUD supports it.

} Brandon Johnson (https://mobilxperts.slack.com/team/U1VJYP9S9)
japple (jeffapple@yahoo.com)
2017-11-14 13:52:23

Nah, I was referring to a Web Application as opposed to a WebClip.

Woody (eric.woodland@trust.tc)
2017-11-14 14:14:11

So @japple you’re looking for a way that a user could request a Web App from Apps@Work, then uninstall/remove it in a similar way. Yes?

japple (jeffapple@yahoo.com)
2017-11-14 14:15:39

I see that a user can tap to “install” the Web App from Apps@Work, but I was wondering if there was a way to “push” it automatically for them. And also the ability to uninstall/remove it.

Woody (eric.woodland@trust.tc)
2017-11-14 14:43:06

Well, the equivalent of “Pushing” them a Web App is pushing them a WebClip. Deleting the WebClip (either requested as a Web App or pushed as a WebClip) is the only way to get rid of the “Web App”

macbentosh (benbergthold@gmail.com)
2017-11-15 17:46:18

got the email about sentry 9.2…when does that drop>

Woody (eric.woodland@trust.tc)
2017-11-15 18:07:59

@macbentosh I believe Core 9.6 is scheduled to drop sometime around now and I would guess we’ll see Sentry 9.2 in a similar timeframe. Those two tend to pair-up nicely, so release dates are coordinated to be near one another.

Martin Cygan (martin@mobileiron.com)
2017-11-15 19:38:01

Sentry 9.2 targeted for beginning of december.

👍 Woody, Jason Bayton, Jason
Woody (eric.woodland@trust.tc)
2017-11-15 19:53:44

Thanks, @Martin Cygan!

✋ Martin Cygan, Jason Bayton
SebastienP (spernot@gmail.com)
2017-11-15 22:24:00

Is there a way to automatically remove an app if the user is no more connected to WiFi ? A specific in-house app that mustn’t be used outside office. Thx in advanced

macbentosh (benbergthold@gmail.com)
2017-11-15 22:35:27

assemble

SebastienP (spernot@gmail.com)
2017-11-15 22:38:16

*Thread Reply:* Thanks. With a script running every x minutes, and then install it when connected to WiFi. Go and see assemble trigger name. Thanks again

Russell Mohr (rmohr@mobileiron.com)
2017-11-15 23:15:41

*Thread Reply:* Much better to control access to the destination than to remove the app

Russell Mohr (rmohr@mobileiron.com)
2017-11-15 23:16:28

*Thread Reply:* Use tunnel to a sentry on the local network for example

Russell Mohr (rmohr@mobileiron.com)
2017-11-15 23:17:02

*Thread Reply:* don’t expose sentry to outside world- only accessible from that WIFI network

SebastienP (spernot@gmail.com)
2017-11-15 23:20:44

*Thread Reply:* The app got cache on it. So user can access to data so even in plane mode they can access :(

👍 Russell Mohr
Tobias (tobias.gruenewald@ebf.com)
2017-11-16 08:24:29

*Thread Reply:* Other options: AirPatrol (geo fencing) or Cisco ISE (if in use) integration

SebastienP (spernot@gmail.com)
2017-11-16 08:36:47

*Thread Reply:* Assemble and geofencing was yesterday a solution but I have to inventory all gps sites so I will look for air patrol. We have Cisco ise but what was your thoughts ? Thanks

Tobias (tobias.gruenewald@ebf.com)
2017-11-16 10:07:48

*Thread Reply:* Not sure about the ISE capabilities with the MI API, but I would envision that ISE can add/remove labels whenever the device joins/leaves an ISE managed WiFi.

SebastienP (spernot@gmail.com)
2017-11-16 10:34:48

*Thread Reply:* Ah yes, I used to work with mi api and trusted deviced enrolled onto MI with a trigger that was MAC address. But it could be very difficult due to energy saving. I will force app dev to shutdown app if no ssid connected and a specific url with ok 200. to complicated and painful for end user

SebastienP (spernot@gmail.com)
2017-11-16 10:34:59

*Thread Reply:* Thx

Tobias (tobias.gruenewald@ebf.com)
2017-11-16 10:54:11

*Thread Reply:* probably the easiest solution if you have control over the app development 🙂

SebastienP (spernot@gmail.com)
2017-11-16 10:56:04

*Thread Reply:* @Tobias I will force to do that. Thanks again

Martin Cygan (martin@mobileiron.com)
2017-11-16 07:35:40

> MobileIron’s beta version of Monitor 1.2.0.0 is now available for testing.

Jason Bayton (jason@bayton.org)
2017-11-16 09:57:55

The upgrade to 9.6 this AM was an absolute doddle. Nice one @Martin Cygan & co 🙂

👏 Woody
Woody (eric.woodland@trust.tc)
2017-11-16 13:29:07

+1 for Core 9.6 upgrades.

thebjohn (brandonjohnson518@gmail.com)
2017-11-16 13:29:49

Looking at doing it today in QA

Jason Bayton (jason@bayton.org)
2017-11-16 13:31:10

Have ye no faith @thebjohn? 😛

Woody (eric.woodland@trust.tc)
2017-11-16 13:31:17

Full disclosure: It was in my lab, but the experience was smooth. Ah, I remember back in the 7.x days when that was not so much the case 🙃

thebjohn (brandonjohnson518@gmail.com)
2017-11-16 13:33:15

@Jason Bayton Ding ding ding

macbentosh (benbergthold@gmail.com)
2017-11-16 15:28:39

downloading 9.6 now…Let’s do it!

macbentosh (benbergthold@gmail.com)
2017-11-16 15:28:45

almost a gb…

Woody (eric.woodland@trust.tc)
2017-11-16 15:29:12

Everybody now, make our CDN feel the burn!

macbentosh (benbergthold@gmail.com)
2017-11-16 15:32:05

snapshot complete // Update downloaded

macbentosh (benbergthold@gmail.com)
2017-11-16 15:32:10

here we go in 3

macbentosh (benbergthold@gmail.com)
2017-11-16 15:32:11

2

macbentosh (benbergthold@gmail.com)
2017-11-16 15:32:12

1

Jason Bayton (jason@bayton.org)
2017-11-16 15:33:49

*explosion*

macbentosh (benbergthold@gmail.com)
2017-11-16 15:37:47

how does one do this to a virtual server?

Woody (eric.woodland@trust.tc)
2017-11-16 15:39:03

I’m sure if they’re real Gangstas, they’ll find a way

macbentosh (benbergthold@gmail.com)
2017-11-16 15:52:39

so what’s new in this? MAM?

Jason Bayton (jason@bayton.org)
2017-11-16 16:05:32

*Thread Reply:* Mac controls, AE improvements, windows improvements, few other bits and pieces. Looks like a major Mac release actually.

Woody (eric.woodland@trust.tc)
2017-11-16 16:49:52

*Thread Reply:* My favorite is the Work Schedule policy

Russell Mohr (rmohr@mobileiron.com)
2017-11-17 15:33:16

*Thread Reply:* Microsoft Graph API is big

Woody (eric.woodland@trust.tc)
2017-11-17 17:11:27

*Thread Reply:* Oh yes, I forgot about that @Russell Mohr

Woody (eric.woodland@trust.tc)
2017-11-16 16:49:59
thebjohn (brandonjohnson518@gmail.com)
2017-11-16 16:51:54

Man, that is some serious lockdown capabilities on a device. I’m curious what type of Enterprise/government agency would leverage this feature

Jason Bayton (jason@bayton.org)
2017-11-16 16:58:17

France are big on this due to local laws I think. Possibly Germany too.

👍 SebastienP, Jason
thebjohn (brandonjohnson518@gmail.com)
2017-11-16 16:58:37

Interesting.

thebjohn (brandonjohnson518@gmail.com)
2017-11-16 16:58:55

I know the German Workers Council is a crazy deal, but didn’t realize it was to this extent

Martin Cygan (martin@mobileiron.com)
2017-11-16 17:06:58

DAIMLER + VW introduced this already 2010 with BB

Woody (eric.woodland@trust.tc)
2017-11-16 17:30:03

I welcome it for the US. I can’t count the amount of times I’ve “turned off work” on my devices during the nights/weekends. Although, I do commend Android for being able to “turn off” the work profile. It just needs to be more easily accessible.

Jason Bayton (jason@bayton.org)
2017-11-16 18:07:38

@Jason Bayton uploaded a file: 201711161806_00.gif

Woody (eric.woodland@trust.tc)
2017-11-16 18:15:33

Ah, nice @Jason Bayton - IdK how I overlooked that

Woody (eric.woodland@trust.tc)
2017-11-16 18:15:55

Perhaps it was back in 6.x when I discovered and hadn’t looked around in awhile

Tobias (tobias.gruenewald@ebf.com)
2017-11-17 08:29:07

@Jason Bayton What tool are you using to create these animated screen GIFs on the fly?

Jason Bayton (jason@bayton.org)
2017-11-17 08:36:29

@Tobias I switch between Mirror and AZ screen recorder

✅ Woody, NicolasR
Woody (eric.woodland@trust.tc)
2017-11-17 18:28:48

@Jason Bayton it looks like the putting Work to Sleep feature arrived in Oreo? Just checked on 6/7 and didn’t see it.

Jason Bayton (jason@bayton.org)
2017-11-17 18:31:13

6 I think. Some OEMs didn't implement it for some bizarre reason (I've written about that previously).

Woody (eric.woodland@trust.tc)
2017-11-17 19:59:41

Gotcha. Come on Samsung, you’re better than that!

macbentosh (benbergthold@gmail.com)
2017-11-20 18:30:01

still no ability to add a wallpaper in an automated fashion to ios with MI Core?

Woody (eric.woodland@trust.tc)
2017-11-20 19:52:16

In an automated fashion @macbentosh - Like, outside the Add New -> Policy or in terms of automatically distributing it?

macbentosh (benbergthold@gmail.com)
2017-11-20 20:18:56

yeah enroll and boom!

Russell Mohr (rmohr@mobileiron.com)
2017-11-20 23:04:18

yes in Core 9.6 its a config

Russell Mohr (rmohr@mobileiron.com)
2017-11-20 23:04:28

not just an “Action”

Russell Mohr (rmohr@mobileiron.com)
2017-11-20 23:05:32

Although now that I said that I’m having trouble finding it….

Russell Mohr (rmohr@mobileiron.com)
2017-11-20 23:06:40

OK we got creative and called it a policy

NicolasR (raison_nicolas@me.com)
2017-11-20 23:50:37

*Thread Reply:* Still wandering why some configurations are not policies and vice versa... iOS restrictions should be lockdown policies!!

Russell Mohr (rmohr@mobileiron.com)
2017-11-20 23:06:53

@Russell Mohr uploaded a file: Policy.png

Russell Mohr (rmohr@mobileiron.com)
2017-11-20 23:07:29

which is also what @Woody said. Need glasses here. But it is new in 9.6 as a policy.

👍 Woody
thebjohn (brandonjohnson518@gmail.com)
2017-11-20 23:20:29

Not just supervised devices?

Woody (eric.woodland@trust.tc)
2017-11-20 23:20:57

“This policy applies to iOS 9.3+ supervised devices only.”

thebjohn (brandonjohnson518@gmail.com)
2017-11-20 23:22:16

@thebjohn uploaded a file: Slack for iOS Upload

thebjohn (brandonjohnson518@gmail.com)
2017-11-20 23:22:41
Woody (eric.woodland@trust.tc)
2017-11-20 23:28:09

I blame it on the Fruit company.

👍 Russell Mohr, Jason
Jason (jasonh@bridgeway.co.uk)
2017-11-21 07:18:11

Why the downvote, @thebjohn? You wouldn’t want your own BYOD having a corporate wallpaper set, would you?

👍 Kiran Patel
Jason (jasonh@bridgeway.co.uk)
2017-11-21 07:21:01

Apple’s recent changes to limit which permissions/restrictions can be set on iOS devices seems to put the consumer - and their privacy - first. Without trying to sound like a fanboi, I wish more ISVs and manufacturers took this view (I’m looking at you LinkedIn/Microsoft, Facebook and Google…)

Jason (jasonh@bridgeway.co.uk)
2017-11-21 07:22:54

If you need these restrictions, add the device into DEP - which you can now do even when you don’t have a proof of custody supply chain (albeit by using Apple Configurator)

Jason (jasonh@bridgeway.co.uk)
2017-11-21 07:23:36

Or am I missing something?

Fabian (mobilxperts@neokortex.de)
2017-11-21 09:16:26

@Russell Mohr - That's awesome, I have been waiting for this quite a while. Now there's just the Device name left, and Apple TV management is fully available 😄

thebjohn (brandonjohnson518@gmail.com)
2017-11-21 12:46:14

@Jason All Corporate devices aren’t necessarily supervised, so having the capability to do this on non-supervised iOS devices would also be ideal. But to your point, with iOS 11 allowing for manual addition to DEP, that is a route we can take for countries that do not offer that feature through suppliers.

Jason (jasonh@bridgeway.co.uk)
2017-11-21 12:47:00

Agreed, I’m not suggesting it’s ideal, but that’s the Apple ‘logic’ being applied here.

thebjohn (brandonjohnson518@gmail.com)
2017-11-21 12:47:18

But if this is only done via Apple Configurator, then that is an obvious no go for us. We deploy thousands of devices worldwide, plugging each one into a Mac with Configurator is not a sustainable solution

thebjohn (brandonjohnson518@gmail.com)
2017-11-21 12:47:31

@Jason I hear ya

Jason (jasonh@bridgeway.co.uk)
2017-11-21 12:48:19

Yup, that’s the only way to get them into DEP. It’s a single, one-off operation, so may yet have legs, especially in combination with a USB hub/cart configuration.

Jason (jasonh@bridgeway.co.uk)
2017-11-21 12:48:44

Cheaper than buying DEP devices in a supported country and sending them to another(!)

Jason (jasonh@bridgeway.co.uk)
2017-11-21 12:49:38

(I’m sure @aaron will also want to chip in at some point with his product offering here too… ;-)

Tobias (tobias.gruenewald@ebf.com)
2017-11-21 12:53:57

@thebjohn There is a tool called Groundcontrol which emulates Apple Configurator on distributed Windows devices with a central management console. So you just need someone in ech of your worldwide locations who installs the tool on a PC and plugs in iDevices, everything else is centrally managed (https://www.groundctl.com/)

groundctl.com
✅ Woody
Jason (jasonh@bridgeway.co.uk)
2017-11-21 13:04:52

Ok, so Tobias beat Aaron to the punch. 😉

aaron (aaron@groundctl.com)
2017-11-21 13:13:10

Whoa. Thanks @Tobias. Great description of our product. May I invite you all to continue discussing in the #v_groundcontrol channel?

👍 Woody
Tobias (tobias.gruenewald@ebf.com)
2017-11-21 13:41:17

was not even aware we have a Groundcontrol channel here 😁

thebjohn (brandonjohnson518@gmail.com)
2017-11-21 13:53:45

@Tobias That is pretty sweet! I will definitely have to check that out, thank you!

macbentosh (benbergthold@gmail.com)
2017-11-21 21:04:20

anyone having ldap issues with 9.6?

Jason Bayton (jason@bayton.org)
2017-11-21 21:05:25

*Thread Reply:* Define? I understand there's a fix in 9.6 for LDAP for the bug in 9.4-9.5

macbentosh (benbergthold@gmail.com)
2017-11-21 21:09:26

*Thread Reply:* not picking up all ad groups

macbentosh (benbergthold@gmail.com)
2017-11-21 21:09:37

*Thread Reply:* we do kerb email label with an ad security group

macbentosh (benbergthold@gmail.com)
2017-11-21 21:09:42

*Thread Reply:* not picking up changes

Jason Bayton (jason@bayton.org)
2017-11-21 21:10:47

*Thread Reply:* @Martin Cygan @Woody

Woody (eric.woodland@trust.tc)
2017-11-21 21:18:29

*Thread Reply:* What do the LDAP logs say in MICS @macbentosh?

Woody (eric.woodland@trust.tc)
2017-11-21 21:18:42

*Thread Reply:* Any indication that it’s seeing the group, but with no changes? Or just not seeing the group at all?

macbentosh (benbergthold@gmail.com)
2017-11-21 21:21:43

*Thread Reply:* it’s in the group in ad but the label doesn’t apply

Kiran Patel (kiran@kiranpatel.net)
2017-11-21 21:24:18

*Thread Reply:* and just to config the group is under the LDAP config in MI to sync right?

Woody (eric.woodland@trust.tc)
2017-11-21 21:24:18

*Thread Reply:* So if you take the failing label syntax and plug it into a new label filter, does the device appear in the results?

Kiran Patel (kiran@kiranpatel.net)
2017-11-21 21:24:26

*Thread Reply:* confirm**

NicolasR (raison_nicolas@me.com)
2017-11-21 21:35:57

*Thread Reply:* Is “Sync discard” option enabled?

Woody (eric.woodland@trust.tc)
2017-11-21 21:41:39

*Thread Reply:* The suspense is killing us, @macbentosh LoL

macbentosh (benbergthold@gmail.com)
2017-11-21 22:10:23

*Thread Reply:* yes

macbentosh (benbergthold@gmail.com)
2017-11-21 22:10:30

*Thread Reply:* 25%

Woody (eric.woodland@trust.tc)
2017-11-22 03:24:06

*Thread Reply:* Odd @macbentosh. What do your LDAP Search Filters look like for Users? The default or something different?

Woody (eric.woodland@trust.tc)
2017-11-22 03:24:15

*Thread Reply:* Default = (&(objectClass=user)(objectClass=person))

Fabian (mobilxperts@neokortex.de)
2017-11-22 08:09:00

*Thread Reply:* When using LDAP (not LDAPS) make a trace and look at it in Wireshark. It gives you a clear view what Core is requesting and what the responses look like. That might give some insight what exactly is misbehaving

Woody (eric.woodland@trust.tc)
2017-11-22 15:23:49

*Thread Reply:* and @macbentosh this was working in your former version of Core, yes? Any chance you ran 9.6 in a DEV/QA scenario before it went into PROD?

macbentosh (benbergthold@gmail.com)
2017-11-21 22:33:56
macbentosh (benbergthold@gmail.com)
2017-11-21 22:43:28

everyone left for TG

macbentosh (benbergthold@gmail.com)
2017-11-21 22:43:36

@Woody

Jason (jasonh@bridgeway.co.uk)
2017-11-22 09:29:38

Hi @macbentosh

Jason (jasonh@bridgeway.co.uk)
2017-11-22 09:29:46

Not all of us, some are UK based.

Jason (jasonh@bridgeway.co.uk)
2017-11-22 09:30:40

Our technical team didn’t mention this when they did their testing, so I’ll ask them to double-check and let you know if they do find anything.

JaxxUK (paul.jacka@bridgeway.co.uk)
2017-11-22 09:52:51

Hi all, We have had 9.6 in testing for 2 days now with iOS, Android and Windows 10 phones. Sorry about the Windows phones we still have a couple of customers. LDAP looks fine and no issues we can see. Next round of testing and GPO etc is for tomorrow, so I will ask the techs to double check log files and verify back her.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2017-11-22 10:07:33

Thanks @JaxxUK

NicolasR (raison_nicolas@me.com)
2017-11-23 00:15:25

Hi everyone it seams that a 9.6.0.1 is planned for the next few days. (Source: announcement mailing from MobileIron)

Jason Bayton (jason@bayton.org)
2017-11-23 22:49:47

Blimey, that didn't take long @NicolasR

NicolasR (raison_nicolas@me.com)
2017-11-24 08:46:00

I think there is a major issue... 😄

😄 Jason Bayton, Jason
Jason (jasonh@bridgeway.co.uk)
2017-11-24 08:54:44

Of course, due to Thanksgiving, I expect this will happen next week

macbentosh (benbergthold@gmail.com)
2017-11-24 19:35:42

My ldap issue is a bug in 9.6.

👍 Woody
macbentosh (benbergthold@gmail.com)
2017-11-24 19:46:17

Engineering has a fix though.

👍 Woody
Jason Bayton (jason@bayton.org)
2017-11-24 19:47:07

Can I get links to this info please?

Martin Cygan (martin@mobileiron.com)
2017-11-27 08:52:18

*Thread Reply:* Only in JIRA, no public info right now. Will be mentioned in the Release-Notes. If you need more details, pls ping me.

Kiran Patel (kiran@kiranpatel.net)
2017-11-27 14:57:28

*Thread Reply:* Is there an ETA for the fix? Hoping it's in 9.6.0.1

Jason Bayton (jason@bayton.org)
2017-11-27 15:29:31

*Thread Reply:* JIRA internal to MI or Partners too? I had a very brief look between flights last week but didn't see anything jump out.

macbentosh (benbergthold@gmail.com)
2017-11-27 15:44:28

*Thread Reply:* issue with batch processing

macbentosh (benbergthold@gmail.com)
2017-11-27 15:45:30

*Thread Reply:* Ours is names that it is not expecting within {}

Jason Bayton (jason@bayton.org)
2017-11-27 15:58:47

*Thread Reply:* Batch processing has been causing problems from 9.4 already.. with the fix supposed to be in 9.6

Fabian (mobilxperts@neokortex.de)
2017-11-27 08:40:45

I'ld also be interested in the description

Thomas H. (the@sector27.de)
2017-11-27 17:31:39

Is anybody using S/MIME via Exchange config and UserSelfService Certs on iOS with Core 9.5 or Core 9.6?

thebjohn (brandonjohnson518@gmail.com)
2017-11-27 17:49:46

We are on 9.4 in Prod, but testing on 9.5 in QA, going to update to 9.6 though, what’s up?

macbentosh (benbergthold@gmail.com)
2017-11-27 18:20:37

If i have a video or photo in my files on docs at work how do i save that to the camera roll?

Woody (eric.woodland@trust.tc)
2017-11-27 19:21:20

@macbentosh You might be able to allow Open-In to the Apple Photos app. I’m not sure that you’d ever have direct access to save to the Camera Roll from AppConnect.

macbentosh (benbergthold@gmail.com)
2017-11-27 19:50:27

already on all apps

macbentosh (benbergthold@gmail.com)
2017-11-27 20:01:26

seems like docs at work is just choking on videos

Woody (eric.woodland@trust.tc)
2017-11-27 20:01:55

So, you’re able to save Photos out to the Camera Roll, just not Videos?

Woody (eric.woodland@trust.tc)
2017-11-27 20:02:05

Or Docs@Work isn’t processing/displaying videos as it should?

macbentosh (benbergthold@gmail.com)
2017-11-27 20:04:46

just taking forever to load in a 100mb video then fails to play it

macbentosh (benbergthold@gmail.com)
2017-11-27 20:04:52

mov mp4 m4v

Woody (eric.woodland@trust.tc)
2017-11-27 20:07:39

Gotcha

Jonathan Henson (jon@1fixpc.com)
2017-11-27 20:08:05

Does a 1MB test video have the same problem?

👍 Woody
macbentosh (benbergthold@gmail.com)
2017-11-27 20:09:03

haven’t tried

Woody (eric.woodland@trust.tc)
2017-11-27 20:09:15

I’d see if it’s a sizing issue, for contrast

macbentosh (benbergthold@gmail.com)
2017-11-27 20:09:28

how would you guys load videos for a kiosk mode style setup?

Woody (eric.woodland@trust.tc)
2017-11-27 20:10:49

Probably store them locally inside an app, restrict to only that app and play from there?

Woody (eric.woodland@trust.tc)
2017-11-27 20:11:10

I suppose Single-App mode as well, once we hit iOS 11.2 and its new features

macbentosh (benbergthold@gmail.com)
2017-11-27 20:11:23

1 mb is fine

Woody (eric.woodland@trust.tc)
2017-11-27 20:13:30

I’d drop a ticket with support to get the ball rolling. Perhaps there’s just an optimization that needs to be made for video sizes exceeding Xmb

macbentosh (benbergthold@gmail.com)
2017-11-27 20:24:58

here’s another question…What format (codec) does D@W support?

Woody (eric.woodland@trust.tc)
2017-11-27 21:02:20

AFAIK it inherits the codecs supported by the iOS/Android platforms

Woody (eric.woodland@trust.tc)
2017-11-27 21:56:54

What is the source of the video file, @macbentosh?

macbentosh (benbergthold@gmail.com)
2017-11-27 22:02:29

A cifs share.

Fabian (mobilxperts@neokortex.de)
2017-11-28 10:53:32

@Thomas H. Yes, cert type user provided, but uploaded via API

Thomas H. (the@sector27.de)
2017-11-29 09:06:43

@Fabian Any problems with signing Emails and S/MIME since iOS 11?

Fabian (mobilxperts@neokortex.de)
2017-11-29 09:08:22

No issues like that have been reported to us, so I assume it's working so far

NicolasR (raison_nicolas@me.com)
2017-11-29 09:50:34

There are

NicolasR (raison_nicolas@me.com)
2017-11-29 09:50:57

let me check the KB

NicolasR (raison_nicolas@me.com)
2017-11-29 09:52:34

some people mentionned this in the comments here: https://community.mobileiron.com/docs/DOC-6671

Oliver (oliver.schiemann@isec7.com)
2017-11-29 11:45:04

@Oliver has joined the channel

macbentosh (benbergthold@gmail.com)
2017-11-29 18:01:34

anyone know if there are keyvalue pairs for vlc

Woody (eric.woodland@trust.tc)
2017-11-29 19:55:42

I’d check AppConfig.org or the MobileIron Marketplace. If not there, hit VLC up directly.

Sascha Spangenberg (sascha.spangenberg@lookout.com)
2017-11-30 09:19:45

@Sascha Spangenberg has joined the channel

macbentosh (benbergthold@gmail.com)
2017-11-30 16:20:32

so odd issue

macbentosh (benbergthold@gmail.com)
2017-11-30 16:21:00

if i set a wallpaper for a device only it sets centered. If it is set by policy it is off center.. Same wallpaper.

Woody (eric.woodland@trust.tc)
2017-11-30 16:23:25

So, the former is by hand or configurator and the latter is via MDM/MobileIron Policy?

macbentosh (benbergthold@gmail.com)
2017-11-30 16:35:42

what does it mean when a wifi policy is partially applied

Woody (eric.woodland@trust.tc)
2017-11-30 16:52:36

So, what’s up with the wallpaper?

Woody (eric.woodland@trust.tc)
2017-11-30 16:52:55

In terms of the WiFi, I believe that means it’s delivered but the user hasn’t entered their password to “complete” the application

macbentosh (benbergthold@gmail.com)
2017-11-30 17:02:12

so I connected and the proxy is not applying

Kiran Patel (kiran@kiranpatel.net)
2017-12-01 02:06:15

Looks like Core 9.6.0.1 is out

👍 Woody, Jason
Jason (jasonh@bridgeway.co.uk)
2017-12-01 09:17:19

Yup, we’re putting it through its paces at the moment. Anyone else using (or having customers using) WinPho devices?

thebjohn (brandonjohnson518@gmail.com)
2017-12-01 12:21:11

Excellent, going to get it in QA today or early next week.

We aren’t doing WinPhones

SebastienP (spernot@gmail.com)
2017-12-01 13:40:53

Still not possible to delegate apps import/edit or distribute to a specific user or an ad group ? Thanks

thebjohn (brandonjohnson518@gmail.com)
2017-12-01 15:48:51

9.6.0.1 fixes the LDAP issue identified in 9.6?

Kiran Patel (kiran@kiranpatel.net)
2017-12-01 18:03:06

@thebjohn didn't see it mentioned in the release notes

thebjohn (brandonjohnson518@gmail.com)
2017-12-01 18:05:35

After scanning, neither did I. I assumed this was the fix in this release judging by the quicker turnaround and version number.

Kiran Patel (kiran@kiranpatel.net)
2017-12-01 20:07:39

Looks like they now have a KB Doc posted now

Jason Bayton (jason@bayton.org)
2017-12-01 20:19:47

Kiran that still references 9.4-9.5 with a fix in 9.6... so perhaps that's something else? They're a bit all over the shop at the moment it seems.

thebjohn (brandonjohnson518@gmail.com)
2017-12-01 21:01:24

@Jason Bayton I agree, I was a bit confused on that KB article as well

Duncan (duncan@govalux.com)
2017-12-02 10:40:48

Has any of you experience with pulling reporting data from the Core using the MobileIron APIs and Microsoft PowerBI? For some reason certain API queries kill the Core, and I then need to request our MobileIron provider (Vodafone Global Enterprise) to reboot the VM. The environment is only 15K devices on Core 9.5, all queries run fine in the QA environment which has only a few dozen devices registered. Any tips? VGE doesn’t seem to be able getting this resolved 😕

Jason Bayton (jason@bayton.org)
2017-12-02 14:21:29

*Thread Reply:* If Dirk is still around (I forget his surname but there's only one I'm aware of looking after hosted Cores) ask that he's involved with troubleshooting. VGE will have full access to the systems so should see something.

Duncan (duncan@govalux.com)
2018-03-28 00:10:38

*Thread Reply:* Mueller? Nope, he’s not there anymore

Jason Bayton (jason@bayton.org)
2018-03-28 18:51:35

*Thread Reply:* Yes I heard :(

Mark Vonk (mark.vonk@dahvo.com)
2017-12-02 14:06:35

Some APIs do use a lot of resources and it does not seem to be coded for efficiency. So try to be as lean as possible and apply as much filters and do not request unnecessary data. What API calls are causing issues? if VGE is using a virtual environment, they might not have set the reservations for the VM which could cause an issue escalating it to MI support

Duncan (duncan@govalux.com)
2017-12-03 13:33:55

*Thread Reply:* It seems that many (all?) API queries are causing stress on the Core, but there is one that certainly kills the system instantly; https://corename.vodafone.com/api/v2/authorized/users?adminDeviceSpaceId=1

thebjohn (brandonjohnson518@gmail.com)
2017-12-02 14:27:56

@Duncan Do you have a Reporting Database VM?

Duncan (duncan@govalux.com)
2017-12-03 13:36:30

*Thread Reply:* We asked VGE (Vodafone Global Enterprise) for that some months ago but where I was under the impression that it was simply spinning up another VM with based on the MI ReportingDB install guide, VGE told me it would require a 3 month project as it wasn't part of their standard services...

Duncan (duncan@govalux.com)
2017-12-03 13:37:05

*Thread Reply:* I might otherwise just spin that up on-premises and open up the required network ports to make it work?

Jason (jasonh@bridgeway.co.uk)
2017-12-02 19:21:36

@Duncan A fair bit, as we’re responsible for IronWorks (https://www.bridgeway.co.uk/ironworks) - which APIs are you using that are causing the issues? Also, are you requesting the data as CSV or JSON?

Duncan (duncan@govalux.com)
2017-12-03 13:42:42

*Thread Reply:* One example is the API query https://corename.vodafone.com/api/v2/authorized/users?adminDeviceSpaceId=1 but we are basically trying to use all v2 APIs and also some v1 APIs. We are using a combination of JSON and CSV. I think most API queries are returning JSON. I am using Microsoft PowerBI as the tool, and so far I did not worry about offsets and limits as it seems that PowerBI manages to structure the data for me. But maybe that is part of the issue? But still, I can understand that the API queries cause a certain (high) load on the Core, and that it takes a certain time to process. But now it seems that processes on the Core just die (Tomcat?). Shouldn't that be protected from happening?

Duncan (duncan@govalux.com)
2017-12-03 13:46:24

This is an example that VGE shared with me illustrating the API Core load

Fabian (mobilxperts@neokortex.de)
2017-12-04 10:21:38

Core can handle many API requests, also in parallel. We have developed some tools which intensively leverage the API and keep a Core with 8 Cores at 70% CPU average. At that load, Core is still responsive and everything is working as expected, so it can deal with such load.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2017-12-04 14:55:13

We have seen issues with large scale data extracts using JSON - believe it or not, some of these are better under CSV, but please try both and see how your own Core server behaves. I would suggest monitoring memory space carefully in your VM environment, as this may highlight capacity issues too.

Jason (jasonh@bridgeway.co.uk)
2017-12-04 14:56:53

We have only been using v2 APIs in IronWorks, so I can’t comment on v1 calls, but happy to take detailed questions via DM. Just please bear with me as I’m on annual leave at the moment and the timeliness of my responses will suffer as a result.

Jason Bayton (jason@bayton.org)
2017-12-06 15:51:47

@Woody @Martin Cygan @Russell Mohr question about the phone number sync recently(ish) introduced.

Does it sync semi-regularly or is it taken only once on enrolment and never updated again?

Barrie Codona (barrie.codona@hotmail.com)
2017-12-06 19:48:10

Jason, my understanding is that this will update on a regular basis. As you can change the SIM in a registered device and it should update on the Core/Cloud server to reflect the 'Current Phone Number'. But I don't know how regularly this happens. I would suspect it is what's used for the 'SIM Changed Event' to be triggered.

Jason Bayton (jason@bayton.org)
2017-12-06 19:49:13

Agreed, I ask because MI support earlier suggested it's only collected on enrolment with Cloud and I thought.. nah.

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:24:48

The new feature that was added recently isn’t about collecting SIM/Phone number information. I’m fairly sure we’ve collected that info from some time

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:25:39

Rather, on Core 9.6 at least, we can change the permissions Mobile@Work is asking for to exclude the Phone permissions

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:26:05

which some users, especially BYOD, find alarming. Phone permissions allows an app to make phone calls SMS etc

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:26:51

We can skip asking for that permission… but then we don’t get the phone number, IMEI etc

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:29:13
Jason Bayton (jason@bayton.org)
2017-12-06 20:33:35

What I do know is either a core or agent update recently started showing phone numbers against my devices. Prior they had been "PDAx" for as long as I remember.

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:34:26

interesting

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:34:56

I’m never really testing with SIMs

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:35:16

but I’m surprised ..

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:37:50

I do see phone numbers on MobileIron Cloud for devices that were retired over a year ago

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:38:45
Jason Bayton (jason@bayton.org)
2017-12-06 20:38:46

I need to start reading through release notes.. but in any case I just need that confirmation if a number changes, Cloud/Core will update it.

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:38:58

I would imagine they do

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:39:08

although we don’t do a SIM change event on Cloud

Jason Bayton (jason@bayton.org)
2017-12-06 20:39:56

#featurerequest

👍 Woody
Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:40:15

hah- I don’t know for sure--- needs to be tested

Jason Bayton (jason@bayton.org)
2017-12-06 20:41:18

I've got a dual SIM phone here registered on Core that lets me edit numbers actually (few androids do). I'll try it. Doesn't answer for cloud but ...

Jason Bayton (jason@bayton.org)
2017-12-06 20:43:19

Oh yup that updates sweet as a nut!

Russell Mohr (rmohr@mobileiron.com)
2017-12-06 20:43:57

do you need a cloud account to register to?

Mark Vonk (mark.vonk@dahvo.com)
2017-12-06 20:44:44

As far as I know, have checked it, etc. it always has updated. Only when you remove a SIM, for example an iPad, then you might see strange behaviour (all zero's, strange carrier, etc). But I think it updates every check-in with the Core/Cloud

Jason Bayton (jason@bayton.org)
2017-12-06 20:46:04

Oh I would like a tenant actually.. which is far more than you just offered, sorry 😝

I can use the company cloud tenant for this..

Jason Bayton (jason@bayton.org)
2017-12-06 20:46:39

@Mark Vonk I'll just try it now. I had zero doubt before Support told me otherwise.

Mark Vonk (mark.vonk@dahvo.com)
2017-12-06 20:48:01

I am not sure about dual-sim devices though. Never seen one registered on a Core (or at least knowingly). But a regular SIM change (and phone number change by that) has always worked for me.

Jason Bayton (jason@bayton.org)
2017-12-06 20:52:06

Dual SIM isn't important for reasons other than it lets me edit the number rather than reading from the SIM (so easier to play with). SIM 1 is always primary so will take precedence in showing in EMMs

Jason (jasonh@bridgeway.co.uk)
2017-12-07 10:49:26

Which brings me to one of my biggest UI/UX bugbears with the admin console. We’re in the C21st and it’s still listing SIM-less mobile devices as “PDAs”. This seems anachronistic with the current tablets, slates, laptops - even desktops with Bridge -, Apple TVs, and other modern devices that can be managed with MobileIron.

😀 Mark Vonk, Jason Bayton, NicolasR
👍 Tobias, Kiran Patel
Jason (jasonh@bridgeway.co.uk)
2017-12-07 10:49:47

Sorry, had to get that off my chest.

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 13:13:53

Anyone here tested the latest iOS Mobile@Work client v9.7? Seeing an issue here for DEP devices

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 13:14:35

Once installed from Apps@Work post registration, or reinstall of app from Apps@Work, does not recognize has DEP Supervised, and asks for a device PIN for Enrollment, doesn’t pick up the registration.

Fabian (mobilxperts@neokortex.de)
2017-12-07 13:26:03

The managed App pre-authentication token for Mobile@Work is not DEP related, but nevertheless a crucial feature 😄 Haven't tested that yet

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 13:27:29

We just tested a Non-DEP device too and it also happened, seems to be a bug with 9.7 we are seeing

Fabian (mobilxperts@neokortex.de)
2017-12-07 13:29:47

How much time passed after installing the app and launching it for the first time?

Fabian (mobilxperts@neokortex.de)
2017-12-07 13:29:58

The token has a time limit. Probably the device's system date/time has too much offset

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 13:31:24

We have tried on about 6 different users and devices, waited 10+ minutes

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 13:32:02

DEP and Non-DEP devices

Fabian (mobilxperts@neokortex.de)
2017-12-07 13:53:46

Sound's like a real bug 🙂

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 14:05:23

Submitting a case now 😁

Woody (eric.woodland@trust.tc)
2017-12-07 15:55:09

Interesting @thebjohn that’s not something I can see that would have really called attention to itself (to warrant any sort of change).

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 15:56:31

Oh they identified a bug already, on a call with our Premier Support guy now

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 15:57:23

Issue still under investigation with MI Engineering, but they know the issue

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 16:05:20

Caching allocation for memory issue, Engineering still reviewing to determine root cause

thebjohn (brandonjohnson518@gmail.com)
2017-12-07 16:05:32

Core resources caching issue it seems

Ankur (aachary@us.ibm.com)
2017-12-08 04:34:50

@Ankur has joined the channel

NicolasR (raison_nicolas@me.com)
2017-12-08 09:38:56

I've just tested the ireg registration process + install M@W via CORE to get the managed app token for me it works with 9.7

thebjohn (brandonjohnson518@gmail.com)
2017-12-08 11:48:39

It’s intermittent. They confirmed a caching issue with Core.

Tobias (tobias.gruenewald@ebf.com)
2017-12-08 12:06:05

So if it's a Core issue is it independent of Mobile@Work version?

thebjohn (brandonjohnson518@gmail.com)
2017-12-08 12:52:17

According to MI Engineering, it is not, which we found strange based on our findings of it happening with the latest client. Coincidental according to Engineering

thebjohn (brandonjohnson518@gmail.com)
2017-12-08 12:55:44
thebjohn (brandonjohnson518@gmail.com)
2017-12-08 12:55:45

I’ll provide more info as we move forward with the case

NicolasR (raison_nicolas@me.com)
2017-12-08 16:22:57

Thanks!

macbentosh (benbergthold@gmail.com)
2017-12-08 22:22:55

WHen it MAM coming to core!!!???

Woody (eric.woodland@trust.tc)
2017-12-09 02:32:17

9.6 @macbentosh

macbentosh (benbergthold@gmail.com)
2017-12-09 03:05:05

I’m on 9.6 and don’t see it. Do I need something in addition to core.

macbentosh (benbergthold@gmail.com)
2017-12-09 03:08:14

Looks like I need to look at the core apps at work guide.

NicolasR (raison_nicolas@me.com)
2017-12-09 15:21:12

You need to setup a dedicated CORE for that

NicolasR (raison_nicolas@me.com)
2017-12-09 15:21:40

the only difference between before and now is that it is officially supported and also they fixed some of the issues we had

Mark Vonk (mark.vonk@dahvo.com)
2017-12-09 19:20:12

It's a basic Core server, but you configure it without a MDM (APNs) certificate for Apple devices.

Mark Vonk (mark.vonk@dahvo.com)
2017-12-09 19:22:51

But lot of restrictions on running MAM-only for iOS. Read the Apps@work guide for Core; there is actually (for MobileIron with new features) a lot info in there about it.

macbentosh (benbergthold@gmail.com)
2017-12-11 16:43:55

well if anyone has a guide…

Woody (eric.woodland@trust.tc)
2017-12-11 18:41:13

MobileIron Tunnel released as MobileIron Centaur in China App Store: https://community.mobileiron.com/docs/DOC-7346

Jason Bayton (jason@bayton.org)
2017-12-11 18:42:20

*Thread Reply:* Unauthorised.

Woody (eric.woodland@trust.tc)
2017-12-11 18:43:18

*Thread Reply:* Well, boo! Anywho, it’s being re-released in the China app store. For Core, ATM.

Woody (eric.woodland@trust.tc)
2017-12-11 18:43:50

*Thread Reply:* https://itunes.apple.com/us/app/mobileiron-centaur/id1315143363?mt=8

App Store
Jason Bayton (jason@bayton.org)
2017-12-11 18:45:51

*Thread Reply:* Was it pulled because it's a VPN client? What's the workaround that got it back on?

Woody (eric.woodland@trust.tc)
2017-12-11 18:56:38

*Thread Reply:* Well, AFAIK it’s a front-end activator for the VPN configuration profile that MI delivers. It may house the config, but in all reality it’s the Apple built-in VPN framework doing the heavy lifting.

Woody (eric.woodland@trust.tc)
2017-12-11 19:06:41

*Thread Reply:* “MobileIron Centaur supports the same list of features as MobileIron Tunnel.”

Jason (jasonh@bridgeway.co.uk)
2017-12-11 23:32:12

*Thread Reply:* The next one will be MobileIron Unicorn[TM], you’ll see… 😉

😆 Woody
Woody (eric.woodland@trust.tc)
2017-12-12 01:39:34

*Thread Reply:* And who doesn’t want a VPN secretly disguised as a Unicorn on their device? #Clever

😆 Jason Bayton, Martin Cygan
Tobias (tobias.gruenewald@ebf.com)
2017-12-12 11:45:44

*Thread Reply:* Centaur works the same as Tunnel but also pipes a copy of the unencrypted traffic to a Chinese gov server farm, which makes it compliant to the Chinese regulations.

But it's also possible that the app name just is not allowed to contain any references to Tunneling techniques.

😆 Woody, NicolasR
Jason Bayton (jason@bayton.org)
2017-12-12 11:53:02

*Thread Reply:* That's pretty horrendous (the regulations)

Tobias (tobias.gruenewald@ebf.com)
2017-12-12 12:44:09

*Thread Reply:* Was just kidding (hopefully) 🙂

But more important to me is the question if this change will have an impact on device-based VPP distributed MI Tunnel when the VPP licenses were purchased in another Country. Would devices in China still be able to install MI Tunnel when they receive it as device-based VPP installation request?

Tobias (tobias.gruenewald@ebf.com)
2017-12-12 12:59:17

*Thread Reply:* https://goo.gl/xOWk1m

South China Morning Post
thebjohn (brandonjohnson518@gmail.com)
2017-12-12 13:08:49

*Thread Reply:* We JUST rolled out Tunnel for Safari and Remote Desktop client globally this past Thursday, this is a real kick to the dick considering we just rolled this out

😆 Woody
thebjohn (brandonjohnson518@gmail.com)
2017-12-12 13:10:58

*Thread Reply:* Pardon my French

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 13:16:45

*Thread Reply:* We have about 350 Corp devices in China we have to look into re-Engineering our solution for. I had 0 idea this wasn’t available as of July

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 13:19:30

*Thread Reply:* And strangely, we rolled out a Field Test for some BYOD changes for iOS. We have a user in China as part of this Field Test, and I see he has Tunnel installed. This Field Test was just rolled out last week...

Jason Bayton (jason@bayton.org)
2017-12-12 13:21:42

*Thread Reply:* Well now you've lost plausible deniability when they come for you @thebjohn

Tobias (tobias.gruenewald@ebf.com)
2017-12-12 13:40:47

*Thread Reply:* @thebjohn As I understand, devices which installed the app before the removal from China AppStore will keep it. But you cannot do new installations.

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 13:41:56

*Thread Reply:* Doesn’t seem to be entirely true, as we deployed Tunnel last week as part of a Field Test, and the 1 user we have in China as part of the Field Test has Tunnel installed 🤔

Tobias (tobias.gruenewald@ebf.com)
2017-12-12 13:50:00

*Thread Reply:* Is device-based VPP in use? Maybe this circumvents the limitation somehow.

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 13:56:18

*Thread Reply:* Hmm, we are leveraging VPP for Corp only based on labels, not for BYOD

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 15:01:49

*Thread Reply:* Product Bulletin also states just Tunnel v2.2, I assumed this also applies to future releases, or it should? We see v2.3.1 in China on devices

Tobias (tobias.gruenewald@ebf.com)
2017-12-12 15:27:59

*Thread Reply:* I just registered a test device and selected "China" during setup. Also added an Apple ID whichs Country was set to "China". Device-based VPP installation works for MI Tunnel 2.3.1. The Apple ID cannot find MobileIron Tunnel in the AppStore, only Centaur. I have no clue if this is a meaningful test result as the device is still physically located in Germany and the same device already was assigned with a VPP licensed MI Tunnel app before I wiped it.

Woody (eric.woodland@trust.tc)
2017-12-12 15:36:39

*Thread Reply:* That sounds like a fair test @Tobias. It sounds like you’re being ushered-in to the China instance of the App Store based on the Country you selected (instead of being redirected based on Geo/Source IP)

Jason Bayton (jason@bayton.org)
2017-12-12 15:37:31

*Thread Reply:* If that’s all it is though, just telling users to register as in another country is all it’d take to keep Tunnel running

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 15:37:56

*Thread Reply:* So even if you publish an app in Apps@Work using a bundle ID and select AppStore Country say United States, a person in China can still pull from the US AppStore even though Geo should route their device to the China AppStore?

Woody (eric.woodland@trust.tc)
2017-12-12 15:40:51

*Thread Reply:* It sounds like China the Great would have taken that into consideration as part of their blocking…

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 15:41:43

*Thread Reply:* That’s my assumption. So for a global company, whether you publish in Apps@Work as US blanket across the board, devices should technically still pull from their Home Country Apple AppStore, that’s my assumption. But based on what we are seeing for Tunnel in China, something is funky here

Tobias (tobias.gruenewald@ebf.com)
2017-12-12 15:46:28

*Thread Reply:* Regarding traditional app deployment through Apps@Work this should definitely hold true. The installation request contains just the App ID and the app is downloaded from whichever country app store the Apple ID is currently configured for. However, for device based VPP the same is unclear to me. Apple doc states "VPP apps can be assigned to devices or users in any country where the app is available, enabling multinational distribution for your enterprise". But how is the device-to-country mapping done?

Tobias (tobias.gruenewald@ebf.com)
2017-12-12 15:47:19

*Thread Reply:* Btw, 德国 is chinese for Germany, if anyone ever needs to move back his Apple ID Country from China to Germany 😄

Woody (eric.woodland@trust.tc)
2017-12-12 16:24:16

*Thread Reply:* @thomrburg can provide some insight regarding VPP here. I believe he said previously that an asset (app) is made available based on the countries selected by the developer. I’m not sure what specifically is used to determine -what- store the lookup/request is performed against.

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 17:07:14

*Thread Reply:* We have a user in China testing some scenarios for us. If it is in fact somehow reaching back to the US AppStore, then we have a problem. Moreso if it is doing it over cellular, which shouldn’t even work if it is communicating with the China public AppStore. I would also be very curious to see how other global companies are handling this, especially if they deploy their internal network in China, which has to route back out.

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 17:09:59

*Thread Reply:* Also, I don’t see any official documentation on the Centaur app other than what is published in the public App Store for the app. I would like to see some official doc on capabilities and differences between Tunnel, especially the part that was mentioned earlier about traffic being unencrypted and piped to Chinese govt servers, that would be a huge legality issue for us

Jason Bayton (jason@bayton.org)
2017-12-12 17:34:20

*Thread Reply:* It was also a joke, but not far from reality I'd fear.. :p

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 17:53:56

*Thread Reply:* Although a joke, it wouldn’t surprise me. I’m finding it hard to believe the same app just published under a new name for China is all there is to it

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 19:28:57

*Thread Reply:* Got confirmation from our account manager after touching base with MI PMs, Centaur code is identical to Tunnel, only difference is app name for China.

👀 Jason Bayton
Jason Bayton (jason@bayton.org)
2017-12-12 19:39:22

*Thread Reply:* Anticlimactic

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 19:42:01

*Thread Reply:* I wish there was something more exciting to their response

Tobias (tobias.gruenewald@ebf.com)
2017-12-13 15:31:36

*Thread Reply:* Just to make sure, I was joking with the statement regarding the traffic sent to Chinese gov (even though it's not far fetched). Should definitely have added some mischeviously grinning smiley to the post.

thebjohn (brandonjohnson518@gmail.com)
2017-12-13 15:33:38

*Thread Reply:* I knew that was the case, but as you said, it wouldn’t be surprising if that was the case. I still see this as being a workaround the China VPN issue by a name change. Maybe I’m wrong

Tobias (tobias.gruenewald@ebf.com)
2017-12-13 15:34:12

*Thread Reply:* Also a sidenote: Hong Kong, which belongs to China but still has very many privileges, is not affected. Hong Kong has it's own App Store which is different from the China one and still includes MI Tunnel. Maybe this makes it easier for some companies which may be active in HK but not in the rest of China.

👍 Woody
thebjohn (brandonjohnson518@gmail.com)
2017-12-13 15:45:08

*Thread Reply:* That is interesting. That might explain why we have a test user in China who is still able to install Tunnel

🤔 Woody
thebjohn (brandonjohnson518@gmail.com)
2017-12-13 16:32:21

*Thread Reply:* Do you have a reference article to this statement?

Tobias (tobias.gruenewald@ebf.com)
2017-12-14 08:10:59

*Thread Reply:* No, I just switched an Apple ID around between countries. China and Hong Kong are listed separately. switching to China = no MI Tunnel, switching to Hong Kong = MI Tunnel

thebjohn (brandonjohnson518@gmail.com)
2017-12-14 13:10:45

*Thread Reply:* So essentially, having an Apple ID associated with another country is a workaround, home country and physical location in China doesn’t matter...

Tobias (tobias.gruenewald@ebf.com)
2017-12-14 13:31:56

*Thread Reply:* Well, we cannot know, if physical location matters, as I could not test that. I strongly assume that the Big Firewall prevents access to other country app stores on a network level, even if you switch your Apple ID to a different country. Also it's possible that iOS devices sold in China have a builtin prevention regarding switching AppStore country. Also this test does not shed any light on device-based VPP distribution as it is independent of the Apple ID. Customer will deploy a few test devices in Beijing soon, will update with our findings.

thebjohn (brandonjohnson518@gmail.com)
2017-12-14 16:21:27

*Thread Reply:* We have a user in China, Home Country and Carrier both China. Apple ID associated in India. He is physically located in China, and confirmed able to access Tunnel. VPP is in India, so this may be why it is working, but I assumed the Great Firewall would be blocking it, it appears not

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 13:31:34
Woody (eric.woodland@trust.tc)
2017-12-12 14:21:22

Just saw that other thread on Centaur and now it makes sense

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 14:33:30

Cripes, but close 😁

Jason Bayton (jason@bayton.org)
2017-12-12 15:06:23

*Thread Reply:* #badlipreading

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 15:23:49

*Thread Reply:* @Jason Bayton Haha

thebjohn (brandonjohnson518@gmail.com)
2017-12-12 14:33:45

It wouldn’t let me post it in that thread for some reason. But yes, in regards to Centaur

Woody (eric.woodland@trust.tc)
2017-12-12 14:43:52

Yeah, it appears threads are limited to just text, links and reactions for now

Sherman Chen (shermanc@mobileiron.com)
2017-12-12 18:41:30

@Sherman Chen has joined the channel

Preetham Guram (spurtipreetham.g@gmail.com)
2017-12-14 17:40:03

@Preetham Guram has joined the channel

Preetham Guram (spurtipreetham.g@gmail.com)
2017-12-14 17:40:50

Hello World!!!

👋 Jason Bayton, Russell Mohr
Barrie Codona (barrie.codona@hotmail.com)
2017-12-14 18:04:31

Hello @Preetham Guram

Preetham Guram (spurtipreetham.g@gmail.com)
2017-12-14 18:09:15

Hey there @Barrie Codona, happy to be part of this group.

Preetham Guram (spurtipreetham.g@gmail.com)
2017-12-14 18:09:27

I worked with Mobileiron between 2012 and 2015

👍 Martin Cygan, Woody
Preetham Guram (spurtipreetham.g@gmail.com)
2017-12-14 18:10:12

While I am still in touch with folks who build and support Mobileiron, this group is a great place to learn great stuff.

Woody (eric.woodland@trust.tc)
2017-12-15 16:05:12

Great to have you, @Preetham Guram!

Preetham Guram (spurtipreetham.g@gmail.com)
2017-12-15 16:05:52

Thanks Eric. It’s great to be part of this group 😊

👍 Woody
NicolasR (raison_nicolas@me.com)
2017-12-16 08:25:46

Hi @Preetham Guram ! Welcome

😊 Preetham Guram
Preetham Guram (spurtipreetham.g@gmail.com)
2017-12-16 08:36:42

Thank you.

Dave van den Bergh (davevandenbergh@coa.nl)
2017-12-20 19:35:18

@Dave van den Bergh has joined the channel

japple (jeffapple@yahoo.com)
2017-12-21 14:45:49

Question regarding Self signed certs? We created a self signed cert with a lifetime of 365 days and we distribute it with our primary WiFi configuration. The cert was created on 12/30/2017 and we were wondering if a new cert needs to be created? Certificate Management logs show that the cert expires on 12/30/2017, which leads me to believe we need to create a new cert and should set the lifetime to much longer than 365 days?

Jason (jasonh@bridgeway.co.uk)
2017-12-21 14:48:10

So the creation was 2017? Or did you mean 2016?

japple (jeffapple@yahoo.com)
2017-12-21 14:49:35

Oh yeah, creation on 12/30/2016. Lifetime of 365 days.

Jason (jasonh@bridgeway.co.uk)
2017-12-21 14:49:47

And yes, certificates need to be renewed (ideally before their expiry, so that you can push them out in plenty of time before the transfer mechanism disappears)

Jason (jasonh@bridgeway.co.uk)
2017-12-21 14:50:40

You can create certs for longer timeframes, but of course, the longer the period, the greater the risk, which is why one or two years are the typical length.

japple (jeffapple@yahoo.com)
2017-12-21 14:50:59

gotcha

japple (jeffapple@yahoo.com)
2017-12-21 14:55:13

Does this sound reasonable then?

  1. Create a new cert and set lifetime to 730 days.
  2. Change the cert in the current SCEP to use the newly created Cert.

The existing config/cert will work until 12/30/2017 and the devices will get a new cert when/if it connects before 12/30/2017.

Jason (jasonh@bridgeway.co.uk)
2017-12-21 14:58:43

Agreed - just ensure that there’s a 1(a) step there: ensure new cert is also accepted on the backend WiFi APs.

japple (jeffapple@yahoo.com)
2017-12-21 14:59:58

Yeah, we’ll be providing that information to our DNS folks to allow the cert.

Jason (jasonh@bridgeway.co.uk)
2017-12-21 15:00:46

Fab.

Woody (eric.woodland@trust.tc)
2017-12-21 15:16:49

@japple the CA issuing the certs should be good for way longer than 1 year. If the device identity cert is expiring, it will be provided a new certificate when the existing is preparing to expire (courtesy of the SCEP config). There should be no reason to create a new SCEP, when the one in place will work as designed nearing a cert expiration date.

Jason (jasonh@bridgeway.co.uk)
2017-12-21 15:17:48

@Woody, good point - I was reading this as a standalone, imported cert.

Woody (eric.woodland@trust.tc)
2017-12-21 15:19:22

Or is this a group certificate (single cert created from an external CA and given out to many devices) and installed to the device certificate store? In that case, you’d need to obtain a new certificate from the external CA and hand out alongside the one that’s expiring. It will not self-renew, like a SCEP’d cert.

japple (jeffapple@yahoo.com)
2017-12-21 15:20:18

Self Signed Cert created in Core-->Assigned to a SCEP profile-->assigned to a WiFi config

Woody (eric.woodland@trust.tc)
2017-12-21 15:20:22

Haha @Jason I have a little history with this one, if it’s the one I’m thinking of.

japple (jeffapple@yahoo.com)
2017-12-21 15:20:37

Yeah, it’s the one you’re thinking of. 🙂

Woody (eric.woodland@trust.tc)
2017-12-21 15:20:40

Yes, SCEP should renew that for the device on its own.

japple (jeffapple@yahoo.com)
2017-12-21 15:22:23

What raised an eye brow is many of these in our logs:

Woody (eric.woodland@trust.tc)
2017-12-21 15:24:06

When did those first start appearing (as far as you can tell from the logs)?

Woody (eric.woodland@trust.tc)
2017-12-21 15:24:45

Also, check the validity dates on the issuing CA. It should be good for awhile

japple (jeffapple@yahoo.com)
2017-12-21 15:25:22

@japple uploaded a file: image.png

Woody (eric.woodland@trust.tc)
2017-12-21 15:25:25

Also, is that device really running iOS 8.3?

japple (jeffapple@yahoo.com)
2017-12-21 15:27:38

We just noticed them last week, but they date back to 9/20/2017. And yes, it’s probably on iOS 8.3. Long story. 😞

japple (jeffapple@yahoo.com)
2017-12-21 15:28:00

Sorry to ask, but how to do you check the validity dates on the issuing CA?

Woody (eric.woodland@trust.tc)
2017-12-21 15:37:17

Well, it used to display in the Services -> Local CA screen

Woody (eric.woodland@trust.tc)
2017-12-21 15:38:01

Download the certificate, import it to your Keychain Access or Windows User Certificate Store and look when it expires

Woody (eric.woodland@trust.tc)
2017-12-21 15:39:52

Default is 30 years, so I’m almost certain it isn’t expiring any time soon

japple (jeffapple@yahoo.com)
2017-12-21 15:50:52

@japple uploaded a file: image.png

Woody (eric.woodland@trust.tc)
2017-12-21 15:55:37

Interesting. Yup, you’ll need a new CA to issue certs moving forward. I’d recommend a CA life of 5-10 (or even the default of 30 years), so you don’t have to jump through this again later.

japple (jeffapple@yahoo.com)
2017-12-21 15:56:30

Yeah, new cert. That’s what I was thinking.

Woody (eric.woodland@trust.tc)
2017-12-21 15:57:13

Not sure how that got set to 1 year but hey, crazier things have happened.

Mark Vonk (mark.vonk@dahvo.com)
2017-12-21 16:44:51

Weird indeed. But if you create a new CA and point to it in your SCEP profile, I am pretty sure the Core will start pushing new certs directly. This means your WiFi will need to accept certs from both the old and the new CA. Otherwise either one will not work and some devices will have WiFi access and others not.

✅ Woody
japple (jeffapple@yahoo.com)
2017-12-21 16:47:08

Yeah, I was going to let the DNS folks know to accept both certs.

macbentosh (benbergthold@gmail.com)
2018-01-04 23:18:21

@Woody any plans to support smart speakers? Alexa, Home Pod Google home?

Woody (eric.woodland@trust.tc)
2018-01-05 01:08:53

Not that I’m aware of @macbentosh. Do you have a particular use case you’re looking to accommodate?

Kiran Patel (kiran@kiranpatel.net)
2018-01-05 01:40:13

@Woody this one came to mind when Amazon initially announced it

Kiran Patel (kiran@kiranpatel.net)
2018-01-05 01:40:14

https://aws.amazon.com/alexaforbusiness/

Amazon Web Services, Inc.
👍 Woody, Russell Mohr
Kiran Patel (kiran@kiranpatel.net)
2018-01-05 01:41:30

That being said I think Amazon is trying to do this themselves with Alexa for Business

Kiran Patel (kiran@kiranpatel.net)
2018-01-05 01:41:37

@Kiran Patel uploaded a file: image.png

macbentosh (benbergthold@gmail.com)
2018-01-05 01:41:48

Our network will require settings to get on the WiFi. Maybe disallow skills or integrations.

} Eric Woodland (https://mobilxperts.slack.com/team/U70Q65NQY)
Kiran Patel (kiran@kiranpatel.net)
2018-01-05 01:44:00

@macbentosh what's features would you use on a smart speaker if skills or integrations were disabled?

Kiran Patel (kiran@kiranpatel.net)
2018-01-05 01:44:12

or do you mean specific ones?

Woody (eric.woodland@trust.tc)
2018-01-05 01:45:58

Based on what @Kiran Patel provided, it looks to be a closed system for the time being. If you’ve got a provisioning device tied to your Business Alexa account, I think it could handle damn near everything applicable to your business (Skills enabled/disabled/allowed/etc).

Woody (eric.woodland@trust.tc)
2018-01-05 01:46:51

Only thing I can see is a need for the ability to have sub-accounts for provisioning, management of devices, etc.

Woody (eric.woodland@trust.tc)
2018-01-05 01:48:26

Kind of like Apple DEP, I suppose

macbentosh (benbergthold@gmail.com)
2018-01-12 14:59:20

Ok here is a weird issue. iPhone x Email notifications on lock screen with privacy. (only show the context of the email when unlocked) Show my phone my face, phone unlocks, emails show text and subject, then disappear.

aaron (aaron@groundctl.com)
2018-01-12 15:26:47

That’s a feature!

👍 Woody
aaron (aaron@groundctl.com)
2018-01-12 15:27:49

http://www.zdnet.com/article/my-favorite-iphone-x-feature-hidden-notifications/

ZDNet
aaron (aaron@groundctl.com)
2018-01-12 15:29:56

Personally I turned it off. Too often my phone was lying flat on my desk and not staring back at my face.

Kiran Patel (kiran@kiranpatel.net)
2018-01-12 16:15:51

I personally like this feature and some even tout it as an "Enterprise DLP" feature so you don't have to scrub lock screen notifications. Ideally there would be an MDM control to require that feature to be enabled for CORP devices (haven't dug in to see if it is). Just sayin... 🙂

Kiran Patel (kiran@kiranpatel.net)
2018-01-12 16:16:00

@macbentosh charging stand FTW!

macbentosh (benbergthold@gmail.com)
2018-01-12 16:38:17

happen on my 7 and 8

macbentosh (benbergthold@gmail.com)
2018-01-12 16:38:59

not a feature the message go off screen not show the content

macbentosh (benbergthold@gmail.com)
2018-01-12 16:47:11
Woody (eric.woodland@trust.tc)
2018-01-15 20:27:40

MobileIron Live ‘18 - Coming to a region near you!

👍 Russell Mohr, Jason
macbentosh (benbergthold@gmail.com)
2018-01-16 20:14:32

that mean that you’re not coming west?

Woody (eric.woodland@trust.tc)
2018-01-16 22:43:43

*Thread Reply:* I’m not sure yet, TBH

rterakedis (rterakedis@vmware.com)
2018-01-17 14:43:35

@rterakedis has joined the channel

nit_suj (jkinney@lynn.edu)
2018-01-17 20:55:25

@nit_suj has joined the channel

thebjohn (brandonjohnson518@gmail.com)
2018-01-18 16:31:48

Anyone seeing issues with Home Country Name not Reporting back to Core? Seeing this on 9.4 and 9.6.0.1

Mark Vonk (mark.vonk@dahvo.com)
2018-01-24 19:38:13

*Thread Reply:* Yes we have seen the same. Also incorrect Home Countries, but that is already a addressed: https://community.mobileiron.com/docs/DOC-7477

csimonds (csimonds@perkinscoie.com)
2018-01-19 16:51:50

@csimonds has joined the channel

lovelessinseattle (cloveless@perkinscoie.com)
2018-01-19 16:54:03

@lovelessinseattle has joined the channel

Kiza (kiza@zoranmiskovic.com)
2018-01-21 14:21:27

@Kiza has joined the channel

macbentosh (benbergthold@gmail.com)
2018-01-22 20:06:24

so the wallpaper policy is not centering it on the device. Do we Need one per device type?

Woody (eric.woodland@trust.tc)
2018-01-23 01:10:26

I can’t say I’ve seen a KvP/setting that allowed to specify “Center”, so I’d guess you may need one to match the resolution per type of device.

Kiran Patel (kiran@kiranpatel.net)
2018-01-23 19:41:15

@macbentosh iOS 11.2.5 is out and saw this that you may be interested in... "– Fixes an issue that caused Mail notifications from some Exchange accounts to disappear from the Lock screen when unlocking iPhone X with Face ID"

👍 Woody
macbentosh (benbergthold@gmail.com)
2018-01-23 19:42:06

Noice!!!

aaron4mobile (aaronleavey@gmail.com)
2018-01-24 16:04:03

@aaron4mobile has joined the channel

Jason Bayton (jason@bayton.org)
2018-01-28 15:20:57

Core 9.6.0.2 update appears to have killed my lab :(

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-28 15:21:33

Oops!

Jason Bayton (jason@bayton.org)
2018-01-28 15:26:01

I would not expect a 404. 5xx sure if the tomcat services are stuck/dead but 404 suggests either redirecting to the wrong place or the update deleted stuff it wasn't supposed to, lol.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-01-28 15:31:27

Good job you backed up before the update....right...?

Jason Bayton (jason@bayton.org)
2018-01-28 15:33:07

Nah, I'm building fresh from 10 beta (when it drops), so didn't bother.

NicolasR (raison_nicolas@me.com)
2018-01-28 21:21:37

The 404 is a known issue of Core 9.6.0.1+

NicolasR (raison_nicolas@me.com)
2018-01-28 21:21:57

I think you can call MI support to get a quick fix

Jason Bayton (jason@bayton.org)
2018-01-28 21:31:51

Jesus yep found it 😄 -- wait, no.. still looking

Paul_O (paulo@bridgeway.co.uk)
2018-01-29 16:55:54

@Paul_O has joined the channel

Roman Kleyn (kleyn.roman@web.de)
2018-01-29 22:39:16

@Roman Kleyn has joined the channel

macbentosh (benbergthold@gmail.com)
2018-01-29 23:00:26

anyone here using box for EMM?

macbentosh (benbergthold@gmail.com)
2018-01-29 23:01:49

Or MAM-Only MDM. Running two cores?

Woody (eric.woodland@trust.tc)
2018-01-31 19:31:31

I’ve Demo’d MAM-Only in the lab @macbentosh. Yes. It’s got to be on two separate appliances.

Woody (eric.woodland@trust.tc)
2018-01-31 19:33:43

Haven’t dealt with Box for EMM. Guessing they just provide additional controls over that specific app (above and beyond what’s on the basic Box app)?

onires53 (jason.r.serino@gmail.com)
2018-01-31 20:03:33

We leverge Box for EMM here.

macbentosh (benbergthold@gmail.com)
2018-01-31 22:08:31

can users use box with mobileiron deployment and without?

onires53 (jason.r.serino@gmail.com)
2018-02-01 23:58:46

*Thread Reply:* From my understanding, it is one or the other. The Box for EMM gives you the ability to push the plist file and use the Box admin console to control DLP. If you don't leverage and EMM then you would just use public Box app. Did that answer you question?

macbentosh (benbergthold@gmail.com)
2018-01-31 22:08:38

my analyst say it is one or the other

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-02-01 09:53:40

We use box here. Users with and without mdm can use box but that is because that's what we configured on the box sevrer to allow.

Shortly we'll be rolling out ping infront of box authentication on mobile to vet if the device is mdm managed or not for conditional access.

👍 Woody
NicolasR (raison_nicolas@me.com)
2018-02-01 20:59:29

@macbentosh yep running iOS/Android MAM Only + iOS/Android MDM with two cores

macbentosh (benbergthold@gmail.com)
2018-02-01 21:19:34

@NicolasR did you follow a guide?

NicolasR (raison_nicolas@me.com)
2018-02-01 21:47:25

Not really... a LOT of testing 🙂

NicolasR (raison_nicolas@me.com)
2018-02-01 21:48:00

Now that this feature is officially supported, the implementation should be better

NicolasR (raison_nicolas@me.com)
2018-02-01 21:49:06

In CORE 9.7 Beta they support MAM+MDM on a single CORE normally

Jason Bayton (jason@bayton.org)
2018-02-01 21:50:25

Anyone tried a work-managed AE deployment in 9.7? My heap of test devices can't finish enrolment (hangs forever on checking for updates in the client).

Jason Bayton (jason@bayton.org)
2018-02-01 21:50:54

*Thread Reply:* I logged a bug in the beta portal but it's not even been sniffed at so far.

macbentosh (benbergthold@gmail.com)
2018-02-02 14:51:10

yea

macbentosh (benbergthold@gmail.com)
2018-02-02 14:51:27

were not using emm cause one high profile user doesnt want MI

😬 Woody
😥 Mark Vonk
Woody (eric.woodland@trust.tc)
2018-02-02 20:01:25

@here anyone using Assemble on Core with a space other than the default (1)?

macbentosh (benbergthold@gmail.com)
2018-02-02 20:26:28

nah bro

👍 Woody
macbentosh (benbergthold@gmail.com)
2018-02-02 22:37:04

how can MI enforce a persistent banner notification?

Woody (eric.woodland@trust.tc)
2018-02-02 22:49:24

Persistent Banner. What’s that?

Jorge Escala (jorge.escala@gmail.com)
2018-02-02 22:56:50

@Jorge Escala has joined the channel

Jason Bayton (jason@bayton.org)
2018-02-03 23:16:32

I'm setting up a beta core, however keep hitting the same snag - when I try to enrol I get a "mutual authentication error" that appears to be client side as the server is not logging anything.

It's built with the same SSL certs and provisioning is over HTTPS rather than 8080.

Both it and the prod core sit side by side behind the same HAProxy and are configured identically except for the hostname.

Client agent logs just repeat the same mutual authentication error with little else.. ADB isn't an option while enrolment is pending with this AE device.. but I can get it from another.

It appears to be related to the TLS provisioning port on 9997 secured again like the prod core with my SSL cert (SAN). HAProxy logs show the connection is being passed through successfully to the beta core, in the very same way it is with the prod.

Mark Vonk (mark.vonk@dahvo.com)
2018-02-04 16:51:54

Did you change or edit the default cipher suites on the Core?

Jason Bayton (jason@bayton.org)
2018-02-04 17:00:44

I've made no changes there, looks at a glance to be the same as 9.6

Mark Vonk (mark.vonk@dahvo.com)
2018-02-04 19:03:02

When do you get the error during registration exactly?

Jason Bayton (jason@bayton.org)
2018-02-04 19:11:41

Literally at inputting the hostname and tapping next. Doesn't even get as far as username request.

Mark Vonk (mark.vonk@dahvo.com)
2018-02-04 19:17:14

Hostname in Mobile@Work? What kind of registration are you doing, you mentioned AE?

Jason Bayton (jason@bayton.org)
2018-02-04 19:20:18

Indeed in the M@W agent - I've tried both AE work-managed with the latest agent pulled from MI servers and standard Android via Play-installed agent. Same issue across multiple devices in LAN and 4G.

Jason Bayton (jason@bayton.org)
2018-02-04 19:25:27

I've logged this with MI as well on the offchance I need an updated agent but I doubt that to be the case.

Mark Vonk (mark.vonk@dahvo.com)
2018-02-04 19:26:08

Ok, never seen that error before. Might be a beta issue, but does sound like a TLS/SSL issue, in particular because of the lack of substantial logging. Have you tried uploading the certs and chain again for TLS? The M@W app uses port 9997 for registration and my experience with MobileIron is that when there is not much in the logs, it is typically a SSL handshake issue.

Jason Bayton (jason@bayton.org)
2018-02-04 19:29:36

Ah yeah, I've reuploaded the certs, reuploaded them to the prod lab and tested to make sure they hadn't corrupted (all works), rebuilt the beta core and went through the whole build all over again to make sure it wasn't just a weird glitch, have had the proxy logs running in real-time showing the traffic going to the correct place.. I'll keep looking until MI respond.

Mark Vonk (mark.vonk@dahvo.com)
2018-02-04 19:31:22

Only thing to test would be the HA proxy in front of the Core. Could you bypass it and have device connections land on the Core directly?

Jason Bayton (jason@bayton.org)
2018-02-04 19:33:56

Yeah that's the plan next. I feel pretty confident though as I've been running this setup with every beta/prod duo since 9.x landed.

Jason Bayton (jason@bayton.org)
2018-02-04 20:32:22

No difference directly natting all relevant ports to the core, mind you internally DNS overrides to the internal address anyway -which I also temporarily disabled for testing

Jason Bayton (jason@bayton.org)
2018-02-04 21:10:40

Found the problem - spent all my time looking in the mics and just noticed this:

Jason Bayton (jason@bayton.org)
2018-02-04 21:10:45

@Jason Bayton uploaded a file: image.png

Mark Vonk (mark.vonk@dahvo.com)
2018-02-05 08:46:01

Catch 22; how would you get the client cert, when you are unable to enroll? Really should read the beta info, I know....

Jason Bayton (jason@bayton.org)
2018-02-05 08:50:26

Beta documentation mentions nothing of it! Maybe they've just cocked up

Jason Bayton (jason@bayton.org)
2018-02-07 10:26:27

Has anyone heard of the MobileIron agent on iOS not being able to update below iOS 9? I've been dropped into a call out of the blue where this is apparently a big issue for a customer and I've never heard of such a bug.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-02-07 10:43:52

Never heard of it, but makes sense.

Remember recently apple required all app developers to have their apps submitted as 64bit apps.

So any device running anything less that 9.3 (I think) probably doesn't have the processor architecture to support it.

Jason Bayton (jason@bayton.org)
2018-02-07 10:45:40

That is a very good point.. I've literally zero info to go on this so can only speculate currently.

Jason Bayton (jason@bayton.org)
2018-02-07 11:54:30

A good number of them are iPad Air with a 64bit proc. 😞 I did notice converting to managed app is only available from 9.0.. so could very well not be updating automatically because of that. Also talking to MI the agent is supported from 9.0, but made available to 8.x as well, so possibly something to do with that.

Jason Bayton (jason@bayton.org)
2018-02-07 16:30:40

It turned out to be a completely different issue - typical!

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-02-07 16:41:03

*Thread Reply:* Ha! Of course #details?

Woody (eric.woodland@trust.tc)
2018-02-07 16:46:30

*Thread Reply:* ^^^ Yes, please!

Jason Bayton (jason@bayton.org)
2018-02-07 18:03:02

*Thread Reply:* It was nothing to do with iOS version, but agent version. Competing configs and one of them blocking app installations. There's a wider issue with the APNS losing connectivity as well. All bundled up into one "it don't work"

🙃 Woody
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-02-07 18:04:03

*Thread Reply:* Always the way,

Jonathan Henson (jon@1fixpc.com)
2018-02-12 17:43:20

Has anyone else experienced the 'save' button being grayed out when editing a DEP profile or trying to add a new DEP profile in Core 9.5.0.0 and Core 9.6.0.2?

Mark Vonk (mark.vonk@dahvo.com)
2018-02-12 19:35:13

Nope, not an issue here. Do you have the Manage device enrollment (iOS only) Role assigned?

Jonathan Henson (jon@1fixpc.com)
2018-02-12 20:07:19

Yes, manage device enrollment (iOS only) is assigned. A few folks have reported the same issue in this thread.

Mark Vonk (mark.vonk@dahvo.com)
2018-02-12 21:21:33

I know what you mean. Saw that issue, let me check: it's a combination of fields you need to select/de-select/fill before you can save it. hold on

Jonathan Henson (jon@1fixpc.com)
2018-02-12 21:22:34

Thanks Mark. I've clicked and unclicked what seems like everything.

Mark Vonk (mark.vonk@dahvo.com)
2018-02-12 21:33:09

Did you enter a username and password for "Setup Managed macOS Admin Account" ?

Mark Vonk (mark.vonk@dahvo.com)
2018-02-12 21:34:29

Also, you will need to select "Show custom text on the Login page" and enter some text and then de-select it again when you do not want to use it. And... Select "Await device configuration during DEP setup" and make sure some value between 1-10 is entered and again, de-select it when you do not want to set it

Mark Vonk (mark.vonk@dahvo.com)
2018-02-12 21:36:00

Username btw may not contain "admin" or "root" I believe

Jonathan Henson (jon@1fixpc.com)
2018-02-12 21:36:55

Yes, I did test adding a username / password for "setup managed macOS admin account".

Jonathan Henson (jon@1fixpc.com)
2018-02-12 21:38:17

ok, I just tried all of these options and the issue persists. I did open case 00396144.

Jonathan Henson (jon@1fixpc.com)
2018-02-12 21:39:33

Well, now it's working.

Mark Vonk (mark.vonk@dahvo.com)
2018-02-12 21:40:15

Weird issue. Just keep clicking on options and fill in the fields and on some point you can save...

Jonathan Henson (jon@1fixpc.com)
2018-02-12 21:47:08

Thanks for the help Mark. I'm able to get create new and modify existing enrollment profiles after going through what you laid out again.

Mark Vonk (mark.vonk@dahvo.com)
2018-02-12 21:53:52

ok good stuff!

Jason Bayton (jason@bayton.org)
2018-02-13 16:06:07

Does anyone know of any practical issues with running Core/Sentry in Azure?

Mark Vonk (mark.vonk@dahvo.com)
2018-02-13 19:16:11

Except for a special Sentry, it's not supported to run the Core in Azure. So for production servers, that would be a practical issue. The Sentry is kind of like a template you can select in AWS/Azure, I believe. Without it, you probably can't configure it like an on-premises virtual machine?

Jason Bayton (jason@bayton.org)
2018-02-13 19:18:15

Ok good to know. This is the first Azure related query I've ever had so interesting if nothing else!

Mark Vonk (mark.vonk@dahvo.com)
2018-02-13 19:37:08

This will make for an interesting read: https://community.mobileiron.com/docs/DOC-6600. If you search for something like "azure cloud installation" on the MobileIron communities website, you will also find the installation guide.

macbentosh (benbergthold@gmail.com)
2018-02-15 17:32:49

has anyone setup MAM only on another core? Do you link the cores together somehow or just let them run.

Barrie Codona (barrie.codona@hotmail.com)
2018-02-15 17:50:49

I've not configured this yet, but reading through the Apps@Work guide, you would configure these as 2 separate servers that are not linked together.

Barrie Codona (barrie.codona@hotmail.com)
2018-02-15 17:55:35

One would be your EMM Server (MDM & MAM) and the other would be just MAM.

Woody (eric.woodland@trust.tc)
2018-02-15 21:28:22

Correct @Barrie Codona, they are run as two entirely separate instances ATM @macbentosh

macbentosh (benbergthold@gmail.com)
2018-02-15 21:35:29

any good way just to make a backup then restore it

Jason Bayton (jason@bayton.org)
2018-02-15 21:47:07

*Thread Reply:* System backup via the MICs is pretty bulletproof

macbentosh (benbergthold@gmail.com)
2018-02-15 21:51:34

*Thread Reply:* Was looking at backing up current core and restoring to the mam core

Jason Bayton (jason@bayton.org)
2018-02-15 21:58:23

*Thread Reply:* So you should be able to run a system backup, then restore it to the mam server without the system settings. I haven't done it this way yet (always restore settings too) but it's been flawless each time.

NicolasR (raison_nicolas@me.com)
2018-02-15 22:41:19

*Thread Reply:* Yes but doing this requires to remove the APNS MDM certificate in the DB. Note that Core 9.7 will support MAM only on the same CORE

macbentosh (benbergthold@gmail.com)
2018-02-15 22:47:14

*Thread Reply:* ?….

macbentosh (benbergthold@gmail.com)
2018-02-15 22:47:28

*Thread Reply:* go on @NicolasR

NicolasR (raison_nicolas@me.com)
2018-02-15 22:49:30

*Thread Reply:* Core 9.7 will support MDM + MAM only on the same Core

macbentosh (benbergthold@gmail.com)
2018-02-15 22:50:31

*Thread Reply:* oh really…Docs?

macbentosh (benbergthold@gmail.com)
2018-02-15 22:50:58

*Thread Reply:* how can you separate the configs?

NicolasR (raison_nicolas@me.com)
2018-02-15 22:51:48

*Thread Reply:* Didn’t tested yet but I’ve seen it the release notes in Centercode beta portal

NicolasR (raison_nicolas@me.com)
2018-02-15 22:52:06

*Thread Reply:* ETA for the GA : 3/14

macbentosh (benbergthold@gmail.com)
2018-02-15 22:52:15

*Thread Reply:* link? Never been there.

NicolasR (raison_nicolas@me.com)
2018-02-15 22:53:58

*Thread Reply:* MAM Only

Ability to disable profile installation for iOS MAM-only devices

NicolasR (raison_nicolas@me.com)
2018-02-15 22:54:04

*Thread Reply:* Not opened to everyone

NicolasR (raison_nicolas@me.com)
2018-02-15 22:54:22

*Thread Reply:* You need to ask to your MI sales or system engineer

macbentosh (benbergthold@gmail.com)
2018-02-15 22:54:35

*Thread Reply:* gotcha

Steven Parker (steven9205@gmail.com)
2018-02-16 18:17:37

@Steven Parker has joined the channel

thebjohn (brandonjohnson518@gmail.com)
2018-02-20 16:06:26

Anyone implemented custom branding in Core? We rolled ours out this last Thursday after our Production upgrade to Core 9.6.0.2. The reason I ask, is I noticed the configuration associated with it (System - iOS Enterprise AppStore) has seriously slowed down in pushing this config to remaining devices in the Watch List. Any way to speed this back up?

macbentosh (benbergthold@gmail.com)
2018-02-20 16:21:36

slow to push or waiting for devices?

Kiran Patel (kiran@kiranpatel.net)
2018-02-20 16:38:38

Random ? in case any one knows. One of our Sentry's was built with a typo in the enable password. Is there an easy way to change just the enable password and not have to rebuild the entire config?

thebjohn (brandonjohnson518@gmail.com)
2018-02-20 16:39:21

@macbentosh Devices are checking in, Core just seems to be slowing down in processing this push

Barrie Codona (barrie.codona@hotmail.com)
2018-02-20 20:21:32

@Kiran Patel Change the Enable password in the Sentry GUI:

Barrie Codona (barrie.codona@hotmail.com)
2018-02-20 20:21:38

@Barrie Codona uploaded a file: image.png

2018-02-20 20:23:39

@Kiran Patel commented on @Barrie Codona’s file https://mobilxperts.slack.com/files/U7JE59F0B/F9C2FGZ18/image.png: Wow thanks, that was a brain fart on my end! Appreciate the help Barrie!

2018-02-20 21:57:25

@Barrie Codona commented on @Barrie Codona’s file https://mobilxperts.slack.com/files/U7JE59F0B/F9C2FGZ18/image.png: You can also change it via the CLI from within the Configuration Terminal using the 'enable secret' command.

Jerome Pascal (jerome.pascal@fr.ibm.com)
2018-02-21 13:12:15

@Jerome Pascal has joined the channel

Simon (simonhu@au1.ibm.com)
2018-02-22 00:59:35

@Simon has joined the channel

Eric Bos (ericbos1@ie.ibm.com)
2018-02-22 09:24:13

@Eric Bos has joined the channel

Woody (eric.woodland@trust.tc)
2018-03-03 02:46:19

@here is anyone using Core with SAML and an IdP other than ADFS? Perhaps one that does not allow for the upload of the SP Metadata (e.g you created the corresponding IdP Service by hand)?

thebjohn (brandonjohnson518@gmail.com)
2018-03-03 12:08:35

@Woody Not at the moment. We are leveraging ADFS but now getting into KCD for “SSO” type auth

Woody (eric.woodland@trust.tc)
2018-03-04 03:52:48

@thebjohn Okay. Just working to create an integration guide and curious how it looks for other IdPs that have manually created services.

Brett Dal Santo (brett@dalsanto.com.au)
2018-03-06 08:16:26

@Brett Dal Santo has joined the channel

macbentosh (benbergthold@gmail.com)
2018-03-06 17:38:36

what determines the auto lock time in MI?

Jason Bayton (jason@bayton.org)
2018-03-06 17:39:39

Security policy IIRC

macbentosh (benbergthold@gmail.com)
2018-03-06 17:40:01

so our sec policy says we allow 30 min. Device only allows up to 5

macbentosh (benbergthold@gmail.com)
2018-03-06 17:40:08

where else should i check?

Woody (eric.woodland@trust.tc)
2018-03-06 17:41:42

You’ll find that the “Max” in a policy can always exceed the Max that said device will allow. Phones never have allowed for more than 5, where iPads have an upper limit of 15

macbentosh (benbergthold@gmail.com)
2018-03-06 17:52:27

so can i push another config to set the time i want within the limits

macbentosh (benbergthold@gmail.com)
2018-03-06 18:14:04

You can’t actually set “never” as the option that user-selected on the devices or any value for that matter. All You can do is define the maximum allowable value. To allow never as the maximum allowable value, simply do not define an auto-lock value in your profile.

Woody (eric.woodland@trust.tc)
2018-03-06 18:14:45

Right

Woody (eric.woodland@trust.tc)
2018-03-06 18:15:06

So you could do a Policy for iPhone (5 Min) and iPad (15 Mins)

Woody (eric.woodland@trust.tc)
2018-03-06 18:15:40

So there’s a default value, enforcement and the user can set any value they want in the range

macbentosh (benbergthold@gmail.com)
2018-03-07 20:44:42

any issue with core being on 9.6.0.0 and sentrys being on 9.2.1?

Scott Flower (scottf@bridgeway.co.uk)
2018-03-07 20:48:47

@Scott Flower has joined the channel

Steve Hayton (shayton@bridgeway.co.uk)
2018-03-07 20:49:04

@Steve Hayton has joined the channel

Martin Hodgson (martinh@bridgeway.co.uk)
2018-03-07 20:49:08

@Martin Hodgson has joined the channel

macbentosh (benbergthold@gmail.com)
2018-03-07 20:53:52

? is it ok if core is behind…

macbentosh (benbergthold@gmail.com)
2018-03-07 21:00:02

asking because i’m having an error with docs@work

Woody (eric.woodland@trust.tc)
2018-03-07 21:00:20

Sentry sees Core as the Mothership/Brains of the Operation. So, it’s usually a bad thing if the employee is more up-to-date than the Boss. Reason being is that the newer Sentry may have more functions available than the Boss can support

macbentosh (benbergthold@gmail.com)
2018-03-07 21:02:27

Might not be able to update for 3 weeks….

macbentosh (benbergthold@gmail.com)
2018-03-07 21:04:14

what’s changed in 9.6.0.0 to 9.6.0.2?

Jason Bayton (jason@bayton.org)
2018-03-07 21:05:12

I wouldn't go up to 9.6.0.2 .. took out two of my lab cores with a bug requiring a DB edit.

macbentosh (benbergthold@gmail.com)
2018-03-07 21:05:44

last time same issue for us. Will I be ok with my sentrys on 9.2.1?

macbentosh (benbergthold@gmail.com)
2018-03-07 21:08:41

also getting an invalid response from server. if the issue persists, contact your administrator. From a working cifs share. I can connect to it from my mac at smb:// but the docs@work config is https://

Woody (eric.woodland@trust.tc)
2018-03-07 21:10:00

Personally, I would rebuild each and lower them down to a Core 9.6.0.0 supported version (in case you need to launch a support case).

macbentosh (benbergthold@gmail.com)
2018-03-07 21:10:34

sentry? isnt on 9.6

macbentosh (benbergthold@gmail.com)
2018-03-07 21:52:43

@Woody can I restore from a snapshot without issue?

NicolasR (raison_nicolas@me.com)
2018-03-07 23:20:55

FYI I configured a Surface hub today to authenticate using certificate to a Radius (802.1x) in a Wired network :-) Worked fine using SyncML

👏 Woody, SebastienP
😎 SebastienP
thebjohn (brandonjohnson518@gmail.com)
2018-03-08 14:17:14

Per-App VPN availability for macOS. Core 9.7 release or still TBD?

Jason (jasonh@bridgeway.co.uk)
2018-03-09 09:26:23

*Thread Reply:* Confirmed as beta release in Core 9.7, so fingers crossed!

thebjohn (brandonjohnson518@gmail.com)
2018-03-09 12:07:12

*Thread Reply:* Excellent, thanks!

Barrie Codona (barrie.codona@hotmail.com)
2018-03-08 14:41:37

@macbentosh regarding your CIFS issue with Sentry 9.2.1 - this might be due to support for SMBv1 being dropped in Sentry 9.2.x.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2018-03-08 15:02:34

Apparently partially based on our work with IronWorks, which was a pleasant surprise!

Martin Cygan (martin@mobileiron.com)
2018-03-08 15:22:46

Congrats @Jason

Jason (jasonh@bridgeway.co.uk)
2018-03-08 15:23:09

Thanks, it was a team effort!

Jason Bayton (jason@bayton.org)
2018-03-08 15:50:18

If we're posting award photos.. 😉

Mark Vonk (mark.vonk@dahvo.com)
2018-03-08 18:07:14

Congrats @Jason and @Jason Bayton

Kiran Patel (kiran@kiranpatel.net)
2018-03-08 21:07:55

Congrats!!

Jason (jasonh@bridgeway.co.uk)
2018-03-09 09:24:16

Thanks all!

Mark Vonk (mark.vonk@dahvo.com)
2018-03-09 09:29:08

MobileIron must be handing these out in alphabetical order and reached Ja(son) now 😀

Jason (jasonh@bridgeway.co.uk)
2018-03-09 09:30:39

@Mark Vonk Hahaha! You’re pleased they’re not doing it by surname, I guess? 😉

Paul_O (paulo@bridgeway.co.uk)
2018-03-09 09:34:41

@Jason Bayton - I think Paul and Jim were happy to accept on your behalf. Well done!

Jason Bayton (jason@bayton.org)
2018-03-09 09:38:09

I got that impression indeed! Thanks Paul 🙂

Jason (jasonh@bridgeway.co.uk)
2018-03-09 09:54:27

@Jason Bayton Must be something in our names… 😉

Jason Bayton (jason@bayton.org)
2018-03-09 09:56:36

It's a pretty incredible name, though I'm probably biased.

Paul_O (paulo@bridgeway.co.uk)
2018-03-09 09:59:43

Imagine the babies if you mated………🤮

Jason (jasonh@bridgeway.co.uk)
2018-03-09 10:00:06

Well, I’m not sure names work that way, Paul…

😂 Jason Bayton, Woody
Paul_O (paulo@bridgeway.co.uk)
2018-03-09 10:00:42

“asking for a friend”

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 16:42:37

Anyone deploying Exchange Mail configurations to macOS via MI?

Jason (jasonh@bridgeway.co.uk)
2018-03-12 18:30:30

Yup.

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 18:43:30

@Jason Utikizing am IMAP config I’m assuming? Pointing directly to a EWS externally accessible URL?

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 18:43:40

Utilizing**

Jason (jasonh@bridgeway.co.uk)
2018-03-12 18:45:00

ActiveSync (EAS server) or IMAP/SMTP, why?

Jason (jasonh@bridgeway.co.uk)
2018-03-12 18:46:02

**as in, both should work, but you may find EAS support in Mail, erm, interesting?

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 18:48:37

macOS doesn’t support ActiveSync... 🤔

Jason (jasonh@bridgeway.co.uk)
2018-03-12 18:54:33

https://support.apple.com/en-gb/HT201951

Apple Support
Jason (jasonh@bridgeway.co.uk)
2018-03-12 18:55:16

I will be honest, I have found the Apple Mail app to be awkward to use with Exchange.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 18:55:43

Outlook for macOS is not ideal, but also an option.

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 18:55:45

So you had to manually configure and couldn’t push out this config via MI Email Configuration? I referenced this article earlier

Jason (jasonh@bridgeway.co.uk)
2018-03-12 18:57:38

We did this a couple of years ago and it worked then - however, I haven’t tried recently.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 18:57:48

What’s the challenge that you’re having?

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 18:59:11

We currently do not have EWS enabled on Exchange. Currently, only way to access email on mobile is through our Sentry’s which connect to Exchange via ActiveSync. I’m currently ID & Assessing macOS capabilities, and wanted to know ins and outs of email for macOS.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:00:27

Nope, sorry, just checked and yes, we’re pushing EAS settings out via MI to macOS devices.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:00:49

(I don’t use Mail for the reasons I’ve already hinted at, but let me check)

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:01:31

Yep, working in Mail with EAS settings pushed through MobileIron.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:02:38

So the standard Exchange configuration (as we use for iOS) pushed out to macOS devices as well. Mail app picks this up and runs with it fine - just checked inbox sync’d correctly and running as you’d expect.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:02:52

Personally, I cannot stand the Mail app, but it does work.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:03:50

Your power users (esp. if they’re moving from a Windows background) will probably ask for/expect Outlook instead, which can be manually configured to work with EAS too, of course.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:04:19

(Core 9.5, macOS High Sierra 10.13.3)

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 19:04:30

Interesting, I’ll have to test tomorrow to see if it works for us too. That protocol isn’t supported, so I’m a little baffled.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:05:25

I believe EAS support has been in Mail for a few years now. It also supports Contacts and Calendar too.

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:05:47

(Saving you from having to push out CalDAV or CardDAV alternatives)

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 19:06:43

I’m going to test and get back, based on documentation, this shouldn’t be working

Jason (jasonh@bridgeway.co.uk)
2018-03-12 19:07:27

Which documentation?

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 19:45:17

Apple site your just references as well as the latest Core 9.6 doc, device management for iOS and macOS

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-12 19:50:36

I believe in macos it pushes the profile as an ews profile not activesync.

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 19:51:33

@Simon Hardy-Bistagne That makes more sense. I’ll test again tomorrow and see, as our standard Exchange config is set to use ActiveSync, as I imagine a majority here who utilize Exchange are also using for iOS and Android

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 20:13:35

I assume this applies to Core as well and not just Cloud

Woody (eric.woodland@trust.tc)
2018-03-12 20:52:57

Yes, @thebjohn - Any time a Exchange config heads to MacOS, it is interpreted as EWS

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 23:19:08

@Woody I was not aware this was the case, good to know. MI documentation did not seem to specify that in the iOS/macOS guide for Core 9.6+

Woody (eric.woodland@trust.tc)
2018-03-12 23:43:37

Yeah - I don’t believe it’s even a function of the EMM. It’s more about how Mail in MacOS interprets and installs the config

thebjohn (brandonjohnson518@gmail.com)
2018-03-12 23:49:56

@Woody I plan to test again tomorrow and see how it goes. Thanks for the insight on this everyone! I’ll let you know how it goes tomorrow

:the_horns: Woody, Jason
Jason (jasonh@bridgeway.co.uk)
2018-03-13 09:13:55

Ah, just learnt something about the magic behind the scenes there. Thanks.

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 12:27:08

I did confirm the mail config gets to the MAC this morning, but Mail app does not recognize any config for Exchange

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 12:27:55

I confirmed with our Exchange guys that EWS leverages a different URL, so I copied our existing Exchange config for iOS, and created a new one to leverage the EWS URL, unfortunately no dice. Gets applied to the device, but mail app doesn’t recognize

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-13 13:05:22

It's that down to the config or a conditional access role in the o365 platform blocking macos?

SEG I don't think can enable ews so you need to enable it on the o365 side manually

Jason (jasonh@bridgeway.co.uk)
2018-03-13 13:08:57

Does it work by manually configuring the Exchange settings in the app (well, system preferences)?

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 13:31:41

Strangely, I got it configured, but doesn’t seem to be connecting, get an Account Error in the Mail app on the Mac. I’m working with my Exchange team now. They had to enable EWS for me and tweak a few things. Being that it would not leverage our alias for passing through Sentry as we have for ActiveSync devices, I’m in discussion if a new alias which would then have to be configured into Sentry would be necessary.

Jason (jasonh@bridgeway.co.uk)
2018-03-13 13:32:48

Wireshark and firewall logs are your friends. 🙂 Good luck and happy hunting!

Woody (eric.woodland@trust.tc)
2018-03-13 13:39:50

Curious @thebjohn - Does that same account work with a manually configured entry in Mail?

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 13:45:03

@Woody It authenticated but then shows account error. I’m working with our Exchange guys to see if EWS is only accessible internally, which I’m guessing so. Meaning I would need to create a new entry in the Sentry ActiveSync Server config in Core for the EWS URL, assuming it supports it and multiple “ActiveSync/EWS” Server config

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 13:52:40

Sentry documentation says supports multiple domains for ActiveSync, but nothing for EWS

Woody (eric.woodland@trust.tc)
2018-03-13 13:53:05

The best you can do in this scenario is create a separate Exchange config for MacOS that points direct to the EWS service. Sentry will not be in a position to accommodate EWS traffic.

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 13:53:22

Core documentation sucks and does not reference EWS in the way Cloud documentation @Simon Hardy-Bistagne provided

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 13:53:56

@Woody So basically direct connect to EWS and no pass through Sentry, that’s going to get shot done real quick here lol

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 13:54:11

Down

Woody (eric.woodland@trust.tc)
2018-03-13 13:55:14

Right. Sentry is just an ActiveSync proxy. Just start looking at securing the EWS service itself. O365 or On-Premise?

Woody (eric.woodland@trust.tc)
2018-03-13 13:57:55

If nothing else you could force EWS traffic through a VPN/MobileIron tunnel and allow access to EWS only from on-premise tunneled network segments.

Woody (eric.woodland@trust.tc)
2018-03-13 13:58:31

That would at least accomplish the task of proving that the connection was coming from a managed device.

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 13:59:41

Oh, I didn’t think about that. So potentially leveraging Tunnel Sentry to pass through EWS traffic. Assuming I wouldn’t have to then Tunnel the Mail app as it passes through Sentry and can’t do per app VPN on Mac yet anyways

Woody (eric.woodland@trust.tc)
2018-03-13 14:06:09

Yeah, I’m just tossing out ideas for future consideration 🤓

Woody (eric.woodland@trust.tc)
2018-03-13 14:06:55

That’s the closest thing you could have as an “EWS Proxy” I suppose.

Jason (jasonh@bridgeway.co.uk)
2018-03-13 14:07:40

Per App VPN (for macOS) rumoured to be in Core 9.7, which is due very soon, allegedly.

Jason (jasonh@bridgeway.co.uk)
2018-03-13 14:08:19

Cloud will have it too - not sure which one you’re using?

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 14:09:37

We are Core, currently at 9.6.0.2. I’d be interested to see Tunneling the native mail app and Remote Desktop client for Mac. Looking forward to 9.7 (assuming this capability comes with it).

Woody (eric.woodland@trust.tc)
2018-03-13 14:10:39

I’m curious what would happen with Per-App VPN for Mail if a user added their personal GMail as a tenant. Surely there would be a URL filter component applied.

Woody (eric.woodland@trust.tc)
2018-03-13 14:11:02

Or it would only tunnel traffic for managed configs inside Mail

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 14:13:52

I’m guessing the latter, that’s the ideal

Jason (jasonh@bridgeway.co.uk)
2018-03-13 14:29:24

I’m guessing the former, as the VPN applies to the app, not the container/email settings

Jason (jasonh@bridgeway.co.uk)
2018-03-13 14:30:12

You’d have to either accept the tromboning of the data, or block it by firewall/web filtering

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 14:44:33

@Jason So possibly deploy Outlook or a third part client for Exchange mail

Woody (eric.woodland@trust.tc)
2018-03-13 14:52:03

Or… flip EWS to use CBA or something that an unmanaged client could not produce.

Woody (eric.woodland@trust.tc)
2018-03-13 14:52:31

You then eliminate needing the VPN/Tunnel all together

Jason (jasonh@bridgeway.co.uk)
2018-03-13 14:54:26

@thebjohn Indeed.

Jason (jasonh@bridgeway.co.uk)
2018-03-13 14:59:46

@thebjohn Is this a corporate owned and managed device?

Jason (jasonh@bridgeway.co.uk)
2018-03-13 14:59:54

Or BYOD?

Jason (jasonh@bridgeway.co.uk)
2018-03-13 15:00:13

If the former, why not just deploy a VPN to it?

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 15:05:18

Scope is currently just personally owned (BYOD)

Jason (jasonh@bridgeway.co.uk)
2018-03-13 15:05:42

Hmm, VPN is somewhat out of the question then. I would go down the Tunnel route.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-13 15:11:00

Why not use the seg URL as a proxy for the ews traffic?

Woody (eric.woodland@trust.tc)
2018-03-13 15:21:46

Seg URL, as in Sentry URL @Simon Hardy-Bistagne?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-03-13 15:26:16

Ah sorry yes... Same thing....! 😀

Just have the ews URL point to your sentry to proxy.

No need to VPN or tunnel

Woody (eric.woodland@trust.tc)
2018-03-13 15:35:03

AFAIK Sentry cannot proxy the EWS traffic. It can handle ActiveSync and AppConnect (MobileIron proprietary)/Tunnel (Device Native/Per-App VPN).

Jason (jasonh@bridgeway.co.uk)
2018-03-13 15:35:51

But no AppConnect for macOS, so that’s academic in this case, unfortunately.

Woody (eric.woodland@trust.tc)
2018-03-13 15:36:13

I do wonder if that could be easily bolted-on, because you’re probably going to see shops requesting the function

Jason (jasonh@bridgeway.co.uk)
2018-03-13 15:36:33

I’ve never heard of proxying via Sentry for this, either, btw.

thebjohn (brandonjohnson518@gmail.com)
2018-03-13 15:41:43

I’ll just have to wait and see what’s in store with macOS per app VPN in Core 9.7 (potentially)

Jason (jasonh@bridgeway.co.uk)
2018-03-13 15:42:11

Very soon now… 🙂

Arjan (aveenboer@hotmail.com)
2018-03-16 09:58:12

@Arjan has joined the channel

Jason Bayton (jason@bayton.org)
2018-03-21 09:01:05

Looks like Cloud will be down for a while yet 🙄 🤔 😕 😬

Amine (amine.ayad@gmail.com)
2018-03-21 10:32:51

https://trust.mobileiron.com/

trust.mobileiron.com
Jason Bayton (jason@bayton.org)
2018-03-21 10:33:58

Yeah, so a while yet..

SebastienP (spernot@gmail.com)
2018-03-27 22:41:33

AnyConnect Legacy will no longer be available for iOS 12

👍 NicolasR
macbentosh (benbergthold@gmail.com)
2018-03-29 18:14:19

what did I miss?

macbentosh (benbergthold@gmail.com)
2018-03-29 18:14:23

when is 9.7 out?

Jason (jasonh@bridgeway.co.uk)
2018-03-29 18:35:10

Came out late on Tuesday this week.

macbentosh (benbergthold@gmail.com)
2018-03-29 18:46:36

LDAP bug fixed?

Jason (jasonh@bridgeway.co.uk)
2018-03-29 18:47:21

Seems to be. So far, so good with this release.

macbentosh (benbergthold@gmail.com)
2018-03-30 16:57:25

checked for updates and only seeing 9.6.0.2

Jason Bayton (jason@bayton.org)
2018-03-30 16:58:07

Default update URL? 9.7 released with no announcement because they're running behind.

😂 Kiran Patel
macbentosh (benbergthold@gmail.com)
2018-03-30 17:04:35

yup

Jonathan Henson (jon@1fixpc.com)
2018-03-30 17:07:02

MobileIron Core upgrade URL Use the following URL if you specify an alternate URL: https://support.mobileiron.com/mi/vsp/9.7.0.0-58/mobileiron-9.7.0.0-58

👍 Woody, Jason Bayton, Jason, Paul_O
Mark Vonk (mark.vonk@dahvo.com)
2018-04-03 07:51:59

Core 9.7.0.0 has been removed due to upgrade issues. 9.7.0.1 will replace it.

Paul_O (paulo@bridgeway.co.uk)
2018-04-03 08:27:00

MobileIron QA process has been challenged of late - or so it would seem....

Jason Bayton (jason@bayton.org)
2018-04-03 08:36:03

And over a permissions issue as well. Linux 101...

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-03 08:38:08

@Simon Hardy-Bistagne uploaded a file: image.png

Jason Bayton (jason@bayton.org)
2018-04-03 08:54:12

I'll take the bugs Simon, thanks

😂 Paul_O, Jason, Woody, NicolasR
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-03 08:54:30

lol

Mark Vonk (mark.vonk@dahvo.com)
2018-04-03 09:29:02

I think it's hard to maintain the current flow of Core updates. We have customers running Core since Core version 4 or 5. With all the different versions, upgrade paths, etc. it seems hard to get the updates correct and tested. I do believe they are working on a new code base for Core (based on Cloud) which should be a lot easier to maintain. Some of the basics in Core do need a complete overhaul I think. Hopefully migrating / upgrading to the new infra will be easy, but I am scared it won't be.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-03 09:31:22

TBH, all the releases from AW, MI, and MS I've seen lately have been full of bugs, broken functions, or simply poor QA. Seems like they're all struggling to keep up with the constant demand for new features.

macbentosh (benbergthold@gmail.com)
2018-04-03 14:50:07

upgrade path MI releases it - Hit install - Open a ticket for them to fix it.

😆 Woody
macbentosh (benbergthold@gmail.com)
2018-04-03 14:50:09

😛

Jason Bayton (jason@bayton.org)
2018-04-04 14:40:28

Back to business.. setting up kerberos auth on SSRS (sequel reporting service). Would w@w work with that?

Jason Bayton (jason@bayton.org)
2018-04-04 14:40:32

https://stackoverflow.com/questions/40253751/ssrs-2016-native-double-hop-windows-authentication

stackoverflow.com
Woody (eric.woodland@trust.tc)
2018-04-04 17:11:10

Provided you’re able to delegate the MobileIron Sentry SPN to the SSRS SPN (and the SSRS front-end supports Kerberos/IWA auth) - It should work

👍 Jason Bayton
Jason Bayton (jason@bayton.org)
2018-04-04 21:22:50

*Thread Reply:* Perfect, thanks!

macbentosh (benbergthold@gmail.com)
2018-04-05 15:59:56

did anyone have issues with docs@work after the latest core upgrade. Having major permissions issues with shares

Woody (eric.woodland@trust.tc)
2018-04-05 17:17:08

*Thread Reply:* Did you end up on 9.6.0.2 or 9.7?

Kiran Patel (kiran@kiranpatel.net)
2018-04-05 20:31:21

*Thread Reply:* Do you have collapse Docs@Work configs enabled? What types of issues are you seeing?

Woody (eric.woodland@trust.tc)
2018-04-06 14:31:23

*Thread Reply:* @macbentosh going all vague-Slacking on us

macbentosh (benbergthold@gmail.com)
2018-04-06 15:11:07

*Thread Reply:* yea

macbentosh (benbergthold@gmail.com)
2018-04-06 15:11:08

*Thread Reply:* lol

macbentosh (benbergthold@gmail.com)
2018-04-06 15:11:14

*Thread Reply:* i dont always see threads

macbentosh (benbergthold@gmail.com)
2018-04-06 15:11:19

*Thread Reply:* I do stack configs

macbentosh (benbergthold@gmail.com)
2018-04-06 15:28:35

*Thread Reply:* Q: How did you determine the issue is caused by security groups not getting recognized? A: When Devices try to access the share using Active Directory Groups they are not allowed. When they Active Directory User Account is then added explicitly they are now able to access the share.

Q: If you open up the permissions on one of the shares in question were you able to access the share without issue? A: Yes but only through a Workstation or Laptop. Both MAC and Windows machines are able to use the groups. Apple Mobile Devices are not

Q: What security group is in question (and is it a user or device based group)? A: These are Active Directory Groups, with Individual Users in each. There is no Nested groups involved.

macbentosh (benbergthold@gmail.com)
2018-04-06 15:28:43

*Thread Reply:*

Woody (eric.woodland@trust.tc)
2018-04-06 19:49:21

*Thread Reply:* That’s odd, since you’re keeping it simple on groups (not nesting). What error do you see on the Sentry when the client displays this error?

macbentosh (benbergthold@gmail.com)
2018-04-09 15:02:07

*Thread Reply:* dunno logs were sent to MI….Still waiting. Per them there is nothing wrong as sentry is just a proxy.

Woody (eric.woodland@trust.tc)
2018-04-09 15:34:05

*Thread Reply:* Gotcha. I think you went through this earlier, but said shares are using SMB 2.x+. Right?

macbentosh (benbergthold@gmail.com)
2018-04-11 21:51:05

*Thread Reply:* yes

Kiran Patel (kiran@kiranpatel.net)
2018-04-05 20:28:43

Hey guys - looks like I've walked into an environment where the MobileIron Core provisioning port in Prod is still set to 8080. Has anyone gone through the process of converting this to 443 and deal with all the cert renewals that go along with it?

Kiran Patel (kiran@kiranpatel.net)
2018-04-05 20:29:15

*Thread Reply:* also that being said, security concerns aside do you know of any issues with leaving it at 8080?

Woody (eric.woodland@trust.tc)
2018-04-05 20:45:19

*Thread Reply:* @Kiran Patel I’ve gone through this a couple times in the past. When you convert the provisioning port to 443, it basically just enrolls any new devices over 443 (SSL) instead of 8080 (HTTP)

Woody (eric.woodland@trust.tc)
2018-04-05 20:46:47

*Thread Reply:* So, the only issue you’d encounter (after switching) is that if a device had enrolled using 8080 and tried to re-install their MDM profile, they would need to Retire/Re-Enroll (because the original profile was created/stored referencing 8080 which is no longer available)

Kiran Patel (kiran@kiranpatel.net)
2018-04-05 20:52:59

*Thread Reply:* @Woody thanks man! It would also re-push SCEP certs and resync email right?

Woody (eric.woodland@trust.tc)
2018-04-05 20:53:35

*Thread Reply:* No - The enrollment port only pertains to new devices coming in. Anyone who was already enrolled is part that point (and thereby not affected)

Kiran Patel (kiran@kiranpatel.net)
2018-04-05 21:43:14

*Thread Reply:* really? We were told by support since the port is also referenced in the Local CA for the information URL & distribution point it would force certs to get re-created

NicolasR (raison_nicolas@me.com)
2018-04-05 23:09:54

*Thread Reply:* Provisioning port changes Local CA CRL endpoints to 443 port (which is by the way stupid...!) I don’t think it will regenerate certificates, except if there is a new way introduced in Core since few versions. I’ve done this without issues in the past too

Woody (eric.woodland@trust.tc)
2018-04-06 03:32:34

*Thread Reply:* Ah yes, that’s correct @Kiran Patel. I forgot, it does update the CRLs from Core.FQDN:8080/CA to https://Core.FQDN/CA. It’s been a minute, but I’m with @NicolasR on not re-generating certs. I can spin-up an 8080 Core and check, if you like.

Kiran Patel (kiran@kiranpatel.net)
2018-04-06 12:14:49

*Thread Reply:* Thanks guys, no need to spin up as I should be able to test this. Thanks again!

👍 Woody
Woody (eric.woodland@trust.tc)
2018-04-06 14:31:10

*Thread Reply:* Right on! Happy Friday, BTW

Kiran Patel (kiran@kiranpatel.net)
2018-04-06 16:12:28

*Thread Reply:* Happy Friday indeed! 😄

Martin Hodgson (martinh@bridgeway.co.uk)
2018-04-12 19:19:38

*Thread Reply:* Once set to 443, do not change it back, there's no reason to do so. If it is reverted back to 8080 new devices will fail to enrol. It's not obvious at first, usual troubleshooting,: checking MDM and Enrolment certs with much head scratching, until you look in System Manager and see it back on 8080.

👍 Kiran Patel
macbentosh (benbergthold@gmail.com)
2018-04-06 15:27:54

@macbentosh uploaded a file: image1.png

macbentosh (benbergthold@gmail.com)
2018-04-06 18:59:20

yes

Jason (jasonh@bridgeway.co.uk)
2018-04-12 13:18:19

BTW, Core 9.7.0.1 released last night.

👍 Jason Bayton, NicolasR
macbentosh (benbergthold@gmail.com)
2018-04-12 17:29:31

fixes?

Jason Bayton (jason@bayton.org)
2018-04-12 17:30:59

Critical permissions issue

Jason (jasonh@bridgeway.co.uk)
2018-04-12 17:31:01

We hope so.

Jason (jasonh@bridgeway.co.uk)
2018-04-12 17:32:26

So far seems to have addressed the Redis issue and a few others we had found in our own testing. This is still taking place though, so caveat emptor - as always with these technologies, we warmly recommend testing in QA before rolling out to production.

👍 Woody
Jason Bayton (jason@bayton.org)
2018-04-12 17:38:09

https://bayton.org/2018/03/mobileiron-launch-android-enterprise-work-profiles-on-fully-managed-devices/

Jason Bayton
👍 Woody, Martin Hodgson, Kiran Patel, RobE
macbentosh (benbergthold@gmail.com)
2018-04-12 18:27:49

does MI offer any certifications?

macbentosh (benbergthold@gmail.com)
2018-04-12 18:38:22

making certs a req for SMEs

Jason Bayton (jason@bayton.org)
2018-04-12 18:38:26

Yes they do

Jason Bayton (jason@bayton.org)
2018-04-12 18:38:38

Check out MI university

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-12 18:43:45

i've not done any of them in a long time... they were not too hard imo

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-12 18:44:04

even allowed you to take the online test as many times as you liked until you passed

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-12 18:44:11

but that may have changed now...

Martin Hodgson (martinh@bridgeway.co.uk)
2018-04-12 18:52:19

A number of these are based on older product versions.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-12 19:02:24

Agreed. But still something good to set as a KPI for your team.

I've done the same

👍 Martin Hodgson, Woody
Martin Hodgson (martinh@bridgeway.co.uk)
2018-04-12 19:06:12

@Simon Hardy-Bistagne My post was a cautionary note for taking these. One exam example, what ports do Core and Sentry communicate on? It hasn't been 9090 and 443 for some time. So think old for the exam and not what's actually changed

👍:skin_tone_2: Simon Hardy-Bistagne
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-12 19:12:32

Yep, I think all of them are in the same boat. The product evolves too fast for the training and certifications to keep up.

Tbh, looking at my MI certs, I did mine back in 2013 and there were those kinds of issues then.

Can't see that changing anytime soon.

Jason Bayton (jason@bayton.org)
2018-04-12 19:25:46

They're about to launch a brand new learning platform 🤷‍♂️

macbentosh (benbergthold@gmail.com)
2018-04-12 19:47:58

cost?

🤷‍♂️ Jason Bayton, Simon Hardy-Bistagne
Woody (eric.woodland@trust.tc)
2018-04-12 19:52:46

There’s never been an associated cost for MobileIron University. Just entitled to it as being a customer. @macbentosh

macbentosh (benbergthold@gmail.com)
2018-04-12 19:55:29

even the certs?

Martin Hodgson (martinh@bridgeway.co.uk)
2018-04-12 19:56:16

correct - free, even the certs which you can download

macbentosh (benbergthold@gmail.com)
2018-04-12 23:15:53

great password in vault isnt working and the reset link sends me nothing…

Jason Bayton (jason@bayton.org)
2018-04-13 06:29:21

Contact your MI rep to get it reset I guess. There's an address but I can't find it offhand.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-13 07:17:36

if i remember rightly, my login way my email, with ".mi" at the end.... not sure if that was just me though

Jason Bayton (jason@bayton.org)
2018-04-13 10:29:44

.mip, but it’ll work without

fridomac (fridomac@googlemail.com)
2018-04-13 17:26:05

@fridomac has joined the channel

macbentosh (benbergthold@gmail.com)
2018-04-13 19:54:40

did MI just send me my password in clear text…

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-13 19:55:10

🙈

😆 Woody
Woody (eric.woodland@trust.tc)
2018-04-13 20:52:29

They should hire T-Mobile to come in as a consultant and help them fix that

macbentosh (benbergthold@gmail.com)
2018-04-13 20:56:34

@macbentosh uploaded a file: nGMrD.gif

Woody (eric.woodland@trust.tc)
2018-04-13 21:02:30

Have to admit that was a pretty eye-opening thread to follow on Twitter

Jason Bayton (jason@bayton.org)
2018-04-13 21:04:49

Link please

Woody (eric.woodland@trust.tc)
2018-04-13 21:14:33

https://twitter.com/c_pellegrino/status/981409466242486272

twitter
} Claudia Pellegrino (https://twitter.com/c_pellegrino/status/981409466242486272)
twitter
} SeloX (https://twitter.com/SeloX_AUT/status/981406875811008513)
😅 Jason Bayton, Woody, RobE
Jason Bayton (jason@bayton.org)
2018-04-15 11:12:04

*Thread Reply:* This is too much.

😆 Woody, RobE
Woody (eric.woodland@trust.tc)
2018-04-15 18:12:20

*Thread Reply:* I know, right?

NicolasR (raison_nicolas@me.com)
2018-04-15 10:15:31

Core 9.5 fondamental is out but still old for intermediate

Jason Bayton (jason@bayton.org)
2018-04-15 11:13:29

9.5 is pretty outdated compared to 9.7.. they could have dev and training work in tandem to create content as features are worked on, but that sounds too much like hard work :p

👍 NicolasR
NicolasR (raison_nicolas@me.com)
2018-04-16 22:37:18

Not as outdated is 7.5 😂

😆 Woody
macbentosh (benbergthold@gmail.com)
2018-04-17 16:49:49

I have a user that will get an appt setup and exchange will sync it to his phone. If the location is updated the appointment will not display the correct location till the event is opened.

macbentosh (benbergthold@gmail.com)
2018-04-17 18:19:34

where is everyone @here staying at for Live!

Mark Vonk (mark.vonk@dahvo.com)
2018-04-17 18:32:54

@macbentosh iOS right? Seen it before, thought it was an iOS bug. I am staying at the Holiday Inn at Alexanderplatz.

macbentosh (benbergthold@gmail.com)
2018-04-17 18:44:33

the event isnt at a hotel this year? I liked just booking it all together

Jason (jasonh@bridgeway.co.uk)
2018-04-17 19:05:06

No, it’s at a converted industrial workshop.

Jason (jasonh@bridgeway.co.uk)
2018-04-17 19:05:26

We’re staying at the Motel One.

Robert R. (rr10@gmx.de)
2018-04-17 19:27:39

Mark meant the Europe Live event in Berlin 😁

Jason (jasonh@bridgeway.co.uk)
2018-04-17 19:29:56

I meant the MobileIron Live! event in Berlin too. We’re staying at the Motel One in Berlin.

Woody (eric.woodland@trust.tc)
2018-04-17 20:02:47

@here Anyone have a method of updating all URL references in Core when the hostname is changed?

Woody (eric.woodland@trust.tc)
2018-04-17 20:03:32

Most have updated, but the URL in the System - macOS Enterprise AppStore Identity Preference and Mobile@Work server name population won’t budge

Woody (eric.woodland@trust.tc)
2018-04-18 03:59:49

Looks like the option to connect remotely to Core using Telnet in 9.7 is gone. #AboutTime

Barrie Codona (barrie.codona@hotmail.com)
2018-04-18 16:59:05

@Woody You'll need to edit these in the mysql database manually and then restart the tomcat service. Changing the hostname would also need you to retire all of your devices and then re-register them. I'd therefore recommend just building a new Core server. But for the sake of testing, you can update 'System - macOS Enterprise AppStore Identity Preference' in the database by updating the value in the miappsettingentry table: update miappsettingentry set value = "https://[newurl]/[path]" where value = "https://[oldurl]/[path]"; You can get the [path] from the configuration in the Core Admin Portal.

Woody (eric.woodland@trust.tc)
2018-04-18 17:00:07

Thanks, @Barrie Codona! Of course, I went ahead and blew it away. Taking note for future scenarios 🙂

Barrie Codona (barrie.codona@hotmail.com)
2018-04-18 17:04:48

On my lab, I've tried dumping the database to a txt file and then doing a search and replace on all the the references to the old hostname. But got errors when trying to import the updated file back into the mysql database. I'm sure that it should be possible to create a script that reads every table and automatically updates them in the database.

NicolasR (raison_nicolas@me.com)
2018-04-18 23:37:31

Filtering Apps in AppCatalog in Core admin using a Label available in Core 9.7 #AboutTime ;-)

👍 Woody, Mark Vonk
Mark Vonk (mark.vonk@dahvo.com)
2018-04-19 09:18:15

The same for category management. Not sure if it was a 9.6 or 9.7 feature, but it sure beats writing web service calls

Duncan (duncan@govalux.com)
2018-04-26 16:08:10

Ah, our upgrade to Core Core 9.7.0.1 Build 9 this morning killed the last few hundred Windows Mobile devices. Email profiles got lost.

Jason Bayton (jason@bayton.org)
2018-04-26 16:10:02
2018-04-26 16:25:31

A file was commented on

2018-04-26 16:27:45

A file was commented on

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-04-26 16:29:23

lol

thebjohn (brandonjohnson518@gmail.com)
2018-04-26 17:35:20

9.7.0.1 having issues with any outbound proxy or communication for us. Quality sure is slipping for these releases

Woody (eric.woodland@trust.tc)
2018-04-27 16:00:29

@Duncan Curious, Windows 8, 10 or a variety of both?

Ankur Acharya (ankuracharya@gmail.com)
2018-04-28 03:47:27

@Ankur Acharya has joined the channel

Duncan (duncan@govalux.com)
2018-04-30 18:10:54

WP8.1 and WP10, but not all of them it seems. When removing and adding back the email config it started to work again.

} Eric Woodland (https://mobilxperts.slack.com/team/U70Q65NQY)
macbentosh (benbergthold@gmail.com)
2018-05-01 19:42:50

upgrade day wish me luck!

Jason (jasonh@bridgeway.co.uk)
2018-05-01 19:58:16

Fingers crossed!

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-01 20:05:36

Good luck!

macbentosh (benbergthold@gmail.com)
2018-05-01 20:11:11

downloading 9.7.0.1 how long does it take to verify updates

macbentosh (benbergthold@gmail.com)
2018-05-01 20:14:21

right as i send it finishes

macbentosh (benbergthold@gmail.com)
2018-05-01 20:24:50

so how does core do mam only?

macbentosh (benbergthold@gmail.com)
2018-05-01 20:33:30

so Mobile Application Management only didn’t make it to 9.7?

Robert R. (rr10@gmx.de)
2018-05-01 22:06:08

As far as I know you need a separate core for MAM

macbentosh (benbergthold@gmail.com)
2018-05-01 22:39:25

I was told that with 9.7 a second core was not needed

NicolasR (raison_nicolas@me.com)
2018-05-01 22:55:01

I think you can separate labels for installing the system MDM config but not sure this is how it supposed to work

JaxxUK (paul.jacka@bridgeway.co.uk)
2018-05-02 10:49:31

Good day all, Are any of you having success with Core 9.7.0.1, Graph API's and controlling the Microsoft Apps on the mobile devices and restrictions please?

Jason (jasonh@bridgeway.co.uk)
2018-05-03 08:55:03

^^ anyone?

Jason Bayton (jason@bayton.org)
2018-05-03 09:57:22

I've not used them to date .. @here ?

Kiran Patel (kiran@kiranpatel.net)
2018-05-03 16:08:20

@JaxxUK I haven't yet but planning to possibly later this month

macbentosh (benbergthold@gmail.com)
2018-05-03 16:10:23

so what’s the solution for “app” is already scheduled for management

RobE (robert.kreuzer@outlook.com)
2018-05-03 16:18:03

Does anyone know if Email+ works with POP3?

😱 NicolasR
😂 NicolasR
NicolasR (raison_nicolas@me.com)
2018-05-04 00:26:42

No, Email+ is only Exchange ActiveSync protocol

👍 RobE
NicolasR (raison_nicolas@me.com)
2018-05-04 00:26:46

No imap or pop

thebjohn (brandonjohnson518@gmail.com)
2018-05-09 17:28:49

Anyone here running Sentry 9.3.0 with Exchange 2016 CU9 and Exchange 2013 CU20? Based on testing in QA, no issues, but Mobile Iron does not officially show either as supported or compatible, and were told likely won’t in the Sentry 9.4.0 release.

Jason Bayton (jason@bayton.org)
2018-05-10 11:53:18

Is anyone familiar with this "issue"? I don't have an iOS device to test so this is based on as close to a clear workflow as I've gotten from the customer:

  1. You've forgotten your iOS passcode
  2. You've rebooted the device
  3. Your admin resets the passcode
  4. The passcode doesn't reset because the agent can't communicate with the device after a reboot without authenticating.

I'm not sure if this is limited to MobileIron or wider, but would be great to hear if this is known about.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-10 12:08:43

*Thread Reply:* Normally I've seen this when the end user has a Sim card pin active.

iOS won't allow wifi connections after a reboot until the device pin is active, and the Sim pin unlock comes after the device pin...

Try a different Sim card.

Jason Bayton (jason@bayton.org)
2018-05-10 12:50:08

*Thread Reply:* Definitely not SIM related as they've replicated it on a number of devices. Supposedly the agent doesn't communicate with the device until after it's unlocked following a boot (paraphrasing).

Mark Vonk (mark.vonk@dahvo.com)
2018-05-10 14:28:02

*Thread Reply:* Never seen that. Typically as Simon said, its due to the fact the device does not have network connectivity: ie sim locked an no WiFi. If it has a connection it unlocks just fine in my experience. The agent does not need a connection: the command is send via APNs to the device directly, not the MDM client.

Jason Bayton (jason@bayton.org)
2018-05-10 14:29:40

*Thread Reply:* I'm pleased to hear it's unusual I guess.

"OS won't allow wifi connections after a reboot until the device pin is active"

Isn't that essentially the core of this issue?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-10 14:38:54

*Thread Reply:* That's BAU for iOS as until you unlock the device for the first time after a reboot, the wifi keys are all still encrypted in the keystore.

Now that I'm saying it out loud, it would case an issue resetting a password on a wifi only device that's been rebooted.

If the devices aren't wifi only though it does mean there's an issue somewhere.

Jason Bayton (jason@bayton.org)
2018-05-10 14:40:48

*Thread Reply:* OK, fully understood

onires53 (jason.r.serino@gmail.com)
2018-05-11 01:47:07

*Thread Reply:* @Jason Bayton This is a known issue. MobileIron even put out a product bulletin on it (https://community.mobileiron.com/docs/DOC-7148). We have definitely experienced this on multiple occasions. Not just WiFi only devices.

👍:skin_tone_2: Simon Hardy-Bistagne, Jason Bayton
Jason Bayton (jason@bayton.org)
2018-05-11 11:29:27

*Thread Reply:* Thanks chap!

Woody (eric.woodland@trust.tc)
2018-05-10 16:12:23

@here anyone have a visual on a Core Admin Portal? Does a Managed App Config still need to be uploaded as an XML or is there a wizard now?

macbentosh (benbergthold@gmail.com)
2018-05-10 16:13:58
Woody (eric.woodland@trust.tc)
2018-05-10 16:14:20

Gracias @macbentosh

Kiran Patel (kiran@kiranpatel.net)
2018-05-10 16:33:40

@here there is a wizard depending on the application

Kiran Patel (kiran@kiranpatel.net)
2018-05-10 16:33:50

oops - meant to do @Woody lol

Woody (eric.woodland@trust.tc)
2018-05-10 16:35:02

Do me a favor @Kiran Patel or @macbentosh - See if there is one that exists for Okta Mobile

macbentosh (benbergthold@gmail.com)
2018-05-10 16:38:40

@Kiran Patel is that cloud?

Woody (eric.woodland@trust.tc)
2018-05-10 16:39:05

i do recall seeing an “App Config” tab inside app sections in Core

Woody (eric.woodland@trust.tc)
2018-05-10 16:39:22

Can’t say I ever came across an app that actually had a box to create an entry, though

macbentosh (benbergthold@gmail.com)
2018-05-10 22:20:09

so why does the venue for west look like a house? 1006 Chantilly Rd, Los Angeles

macbentosh (benbergthold@gmail.com)
2018-05-11 19:57:04

what?

macbentosh (benbergthold@gmail.com)
2018-05-11 19:57:05

(Client #1073750412) was STONITH’d

Kiran Patel (kiran@kiranpatel.net)
2018-05-11 21:29:07

Hey @Woody & @macbentosh - apologies spaced replying on this. To complete my comments, in the event they make the xml schema to mobileiron they have a UI around it. I've seen it for Salesforce and a few other apps. Check the Apps@Work pdf under the core documentation. I'm not sure if this is supported in Cloud but would be surprised if it's not

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2018-05-11 21:31:04

I do not see this available for Okta Mobile. Example for it is looks like for Box for EMM & Salesforce.

Kiran Patel (kiran@kiranpatel.net)
2018-05-11 21:31:09

@Kiran Patel uploaded a file: image.png

Woody (eric.woodland@trust.tc)
2018-05-11 21:31:19

Yeah, it’s there (and fairly robust) in Cloud. Seeing the same in my Core (now that it is back up)

Kiran Patel (kiran@kiranpatel.net)
2018-05-11 21:32:11

That top screnshoot is box. Here is one for Salesforce1

Kiran Patel (kiran@kiranpatel.net)
2018-05-11 21:32:20

@Kiran Patel uploaded a file: image.png

Kiran Patel (kiran@kiranpatel.net)
2018-05-11 21:32:31

@Kiran Patel uploaded a file: image.png

Kiran Patel (kiran@kiranpatel.net)
2018-05-11 21:32:44

you can have a default config or unique configs and apply by label

Woody (eric.woodland@trust.tc)
2018-05-11 21:38:01

Gotcha

Woody (eric.woodland@trust.tc)
2018-05-11 21:38:06

I bet they are pulling from AppConfig.org

Kiran Patel (kiran@kiranpatel.net)
2018-05-11 21:38:39

Yup - i was trying to find the document but I recall reading a while back that they committed to hosting the schema file from there

👍 Woody
Emiliano (emiliano.bolzoni@gmail.com)
2018-05-16 22:08:44

@Emiliano has joined the channel

Woody (eric.woodland@trust.tc)
2018-05-22 13:57:02

@here Besides enhanced management of Windows devices, are there any other benefits of using Cloud + AzureAD?

macbentosh (benbergthold@gmail.com)
2018-05-22 17:33:04

@here what do you do when an in-house app fails to install?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-22 17:34:08

One device or all?

macbentosh (benbergthold@gmail.com)
2018-05-22 17:34:15

one

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-22 17:34:44

Any errors as to why it failed in the logs?

macbentosh (benbergthold@gmail.com)
2018-05-22 17:34:56

nope

macbentosh (benbergthold@gmail.com)
2018-05-22 17:35:21

@macbentosh uploaded a file: IMG_2546.JPG

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-22 17:35:53

Signing cert still ok and valid?

macbentosh (benbergthold@gmail.com)
2018-05-22 17:35:58

yup\

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-05-22 17:36:43

Users storage isn't full is it? I've had that a few times

macbentosh (benbergthold@gmail.com)
2018-05-22 17:36:51

nope

macbentosh (benbergthold@gmail.com)
2018-05-22 17:43:27

the device that works is 11.3 the device that is failing is 11.3.1

Woody (eric.woodland@trust.tc)
2018-05-23 03:18:53

Where’s it downloading from? @macbentosh

Woody (eric.woodland@trust.tc)
2018-05-23 03:20:24

Core or external url?

macbentosh (benbergthold@gmail.com)
2018-05-23 05:34:05

Core

Mark Vonk (mark.vonk@dahvo.com)
2018-05-23 12:59:04

Can you get the iOS console logs? Should have an error which could point you to a solution.

Woody (eric.woodland@trust.tc)
2018-05-23 22:45:43

I concur with @Mark Vonk, scrape the device console logs from Configurator or XCode while it fails. I’m sure you’ll see why

Jason (jasonh@bridgeway.co.uk)
2018-05-25 19:38:29

Hello hive mind!

Jason (jasonh@bridgeway.co.uk)
2018-05-25 19:38:58

I’d appreciate some feedback on these videos we’ve put together for our IronWorks solution, please?

Jason (jasonh@bridgeway.co.uk)
2018-05-25 19:39:11

https://youtu.be/HHT631uSXGk

YouTube
} Bridgeway Security Solutions (https://www.youtube.com/channel/UCEvsWjYCSEHxRG3vnp8WYfA)
Jason (jasonh@bridgeway.co.uk)
2018-05-25 19:39:26

60 seconds each.

Jason (jasonh@bridgeway.co.uk)
2018-05-25 19:39:37

https://youtu.be/o8NWSt8-KjY

YouTube
} Bridgeway Security Solutions (https://www.youtube.com/channel/UCEvsWjYCSEHxRG3vnp8WYfA)
Jason (jasonh@bridgeway.co.uk)
2018-05-25 19:39:49

https://youtu.be/UABLR7LaqNQ

YouTube
} Bridgeway Security Solutions (https://www.youtube.com/channel/UCEvsWjYCSEHxRG3vnp8WYfA)
Jason (jasonh@bridgeway.co.uk)
2018-05-25 19:39:59

https://youtu.be/6fao2yMvl70

YouTube
} Bridgeway Security Solutions (https://www.youtube.com/channel/UCEvsWjYCSEHxRG3vnp8WYfA)
Jason (jasonh@bridgeway.co.uk)
2018-05-25 19:40:05

Thanks in advance.

Jason (jasonh@bridgeway.co.uk)
2018-05-29 11:22:34

No comments?

Woody (eric.woodland@trust.tc)
2018-05-29 14:14:54

I’ve got a reminder to check them out @Jason. Long week/weekend

Jason (jasonh@bridgeway.co.uk)
2018-05-29 14:16:25

No problem - thanks for helping!

Woody (eric.woodland@trust.tc)
2018-05-29 20:56:12

@here - Has anyone configured MobileIron’s Cloud to communicate with an LDAP as a service, such as something like JumpCloud?

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-10 16:43:50

*Thread Reply:* yes, it works… or atleast it did…

👏 Woody
Woody (eric.woodland@trust.tc)
2018-06-11 16:50:39

*Thread Reply:* Right on. It’s very similar to the Okta LDAP interface. I’ll see if I can get it rolling. Thx @Alex Mercer!

Fabian (mobilxperts@neokortex.de)
2018-05-29 22:25:51

Our Cloud customers use numerous directories, probably also JumpCloud. Usually that‘s working absolutely fine, as long as the destination provides an RFC compliant LDAP interface. - What are you aiming for?

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2018-05-30 09:17:22

^^ this

Woody (eric.woodland@trust.tc)
2018-05-30 15:44:38

@Fabian @Jason I was looking to see if it was possible, since most MI Cloud deployments you see revolve around using a Connector. I’ve got it going in AirWatch and wanted to mirror the same arrangement in MI Cloud.

NicolasR (raison_nicolas@me.com)
2018-05-30 18:23:52

@Woody you want to integrate LDAP without MI Connector, right? If so, no, it’s not possible AFAIK

Woody (eric.woodland@trust.tc)
2018-05-30 18:24:09

That’s correct, @NicolasR

Woody (eric.woodland@trust.tc)
2018-05-30 18:24:40

Take care of everything via LDAP as a service

Jason (jasonh@bridgeway.co.uk)
2018-05-30 18:36:00

Run Connector in a Cloud instance is a horrid approach.

Fabian (mobilxperts@neokortex.de)
2018-05-30 18:45:42

Afaik MI is working on that. Basically the same issue like with Sentry and MI Cloud.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2018-05-30 18:53:47

Yup

Woody (eric.woodland@trust.tc)
2018-05-31 14:44:40

@here in terms of Cloud and using AAD as an IdP/User Source, is a connector required? Stepping back to the conversation we were having yesterday about LDAP as-a-service (and not working w/o a connector in place)

Woody (eric.woodland@trust.tc)
2018-05-31 14:46:51

From what I can tell, you’re able to use it without the dependency of a Connector

Woody (eric.woodland@trust.tc)
2018-05-31 14:46:58

@Woody uploaded a file: image.png

Daniel Harris (daniel.harris@okta.com)
2018-05-31 16:57:55

@Daniel Harris has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2018-05-31 19:09:12

Well the screenshot says it all I would say. To connect it with AAD as your IdP you do not need a Connector. But actually some more is available: In order to use AAD, you need to set up your IdP for user authentication in one of the following methods:

  • To use Microsoft AAD for both user source and user authentication, setup AAD as your IdP. Go to Admin > Identity > Cloud IdP Setup and select AAD from the menu.
  • To use Microsoft AAD for user source and to use ADFS for user authentication, setup ADFS as your IdP. Go to Admin > Identity > On-Prem IdP Setup and select ADFS from the menu.
  • To use a SAML 2.0 IdP other than AAD and to use ADFS for user authentication, go to Admin > Identity > Generic IdP Setup and follow the instructions on the page.
Mark Vonk (mark.vonk@dahvo.com)
2018-05-31 19:09:57

So anything SAML 2.0 is supported

Mark Vonk (mark.vonk@dahvo.com)
2018-05-31 19:10:51

You can't add multiple sources though. You can't combine a LDAP with the connector and AAD.

Mark Vonk (mark.vonk@dahvo.com)
2018-05-31 19:12:16

And do not forget to create some backup local accounts. In case you misconfigure something or your IdP is not working, you can still access the console as an admin

Mark Vonk (mark.vonk@dahvo.com)
2018-05-31 19:14:58

You can read more in the help by searching for Azure or IdP. AFAIK is was introduced in Cloud by accident. Documentation is a bit scarce.

Woody (eric.woodland@trust.tc)
2018-05-31 19:51:11

Nice, @Mark Vonk! Admittedly, I’ve not implemented it yet, but that is attractive (since it is the only path that doesn’t appear to require a connector

Woody (eric.woodland@trust.tc)
2018-05-31 20:20:09

My guess is that MI will continue to follow the model they established with AAD Premium (as @Fabian mentioned) and help move everyone into a true cloud-to-cloud arrangement.

Fabian (mobilxperts@neokortex.de)
2018-05-31 21:28:06

Completely different topic; I had a nice discussion with a customer‘s security guy about TLS 1.3 and it‘s implications for enterprise networks, mainly in regards of the omitted renegotiation feature. Of course TLS 1.3 does drastically speed up TLS handshakes, but we concluded that most vendors and standards will skip this TLS version (except for the ciphers). What do you think?

Fabian (mobilxperts@neokortex.de)
2018-05-31 21:30:32

This is somehow also MobileIron relevant, as TLS 1.3 requires a dedicated port or FQDN (with SNI) for every connection using client certificates. Per CA.

Woody (eric.woodland@trust.tc)
2018-05-31 21:31:42

Why is it felt that most vendors/standards will skip 1.3? Just too much overhead required to implement an update for a minor version (and worth waiting until a 1.4 arrives with tweaks/optimizations/etc)?

Fabian (mobilxperts@neokortex.de)
2018-05-31 21:32:47

In general, yes. Too much stuff that would have to be changed drastically.

Fabian (mobilxperts@neokortex.de)
2018-05-31 21:33:52

Many things will not work with 1.3 without extensive changes on application level

Woody (eric.woodland@trust.tc)
2018-05-31 21:34:13

That makes sense. Almost like it needs to be under a TLS 2.0 heading so vendors can maintain v1.x until they deem it worthy of making a jump

Fabian (mobilxperts@neokortex.de)
2018-05-31 21:35:31

I was wondering whether someone already spent time on it, as TLS 1.3 has some real benefits for mobiles and high latency connections. At a high price.

macbentosh (benbergthold@gmail.com)
2018-06-01 16:34:07

how can I create a label but exclude devices in another label

Kiran Patel (kiran@kiranpatel.net)
2018-06-01 17:38:14

*Thread Reply:* Was literally trying to do this yesterday and don't think it's possible.

Kiran Patel (kiran@kiranpatel.net)
2018-06-01 17:38:43

*Thread Reply:* Ended up using device name as our use case is to exclude a kiosk device if we want to kick it out of single app mode

onires53 (jason.r.serino@gmail.com)
2018-06-01 18:33:04

*Thread Reply:* Unless things have changed, you can't nest labels within labels in MI. You have to create AD groups and exclude them or key off of AD attributes or another MI field (display name, device info, etc.).

Mark Vonk (mark.vonk@dahvo.com)
2018-06-01 19:36:42

*Thread Reply:* Not possible indeed. You would need some other attribute (device, OS or LDAP) to exclude it from the label.

Fabian (mobilxperts@neokortex.de)
2018-06-02 18:11:56

*Thread Reply:* Basically the condition of label 1, just negated, in addition to the already existing label 2 conditions. For such criteria it is good to be able to manually design the search filter :)

Duncan (duncan@govalux.com)
2018-06-02 22:15:01

*Thread Reply:* Contact Miriam Geller from MI. I asked for this years ago and she’s told me that it would be coming sometime.

👍 Kiran Patel
Fabian (mobilxperts@neokortex.de)
2018-06-03 07:31:31

*Thread Reply:* If I remeber it correctly, Miriam is no longer with MI.

Jason Bayton (jason@bayton.org)
2018-06-03 20:26:05

*Thread Reply:* And the dream of nested labels departed with her it seems

macbentosh (benbergthold@gmail.com)
2018-06-06 16:01:35

hey @here who is going to LA tomrrow?

macbentosh (benbergthold@gmail.com)
2018-06-07 04:33:00

No one going to live tomorrow?

:mobileiron_logo: Alex Mercer, NicolasR
🤩 Alex Mercer
Jason Bayton (jason@bayton.org)
2018-06-07 11:23:03

Doesn’t look like it! 😄

macbentosh (benbergthold@gmail.com)
2018-06-08 15:02:52

@Alex Mercer Still cleaning up the party?

Woody (eric.woodland@trust.tc)
2018-06-08 20:28:03

I’d say she owned that event, @macbentosh. Made lots of pictures!

macbentosh (benbergthold@gmail.com)
2018-06-08 20:28:20

where them pictures?

Woody (eric.woodland@trust.tc)
2018-06-08 20:42:32

Twitta/LinkedIn

macbentosh (benbergthold@gmail.com)
2018-06-08 22:03:47

any of me?

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-10 16:41:58

ill look at the pics ben see if i find yah

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-10 16:42:08

this week we have the PS Summit

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-10 16:42:14

need to add that guy to this community too!

macbentosh (benbergthold@gmail.com)
2018-06-12 16:56:03

alright all I have a question? Who here has had to migrate a virtual core and sentry off of an amd host and onto an intel host?

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-12 22:05:40

*Thread Reply:* Havent.

Fabian (mobilxperts@neokortex.de)
2018-06-12 22:09:05

*Thread Reply:* Shouldnt be an issue, as the MI CentOS kernel contains the Intel specific optimizations. If it is already working on AMD, everything should migrate well. I would have struggled the other way around. However, habent tested that yet.

👍 Woody
Fabian (mobilxperts@neokortex.de)
2018-06-12 22:10:42

*Thread Reply:* Probably worth being mentioned: Core and Sentry have different CentOS main versions. Will be equal again with Core 10.

👍 Woody
Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-12 22:05:34

@here Curious how many people implement G-suite today…kinda seems like smaller companies over large enterprise, and maybe govt/edu its good for… curious.

Fabian (mobilxperts@neokortex.de)
2018-06-12 22:13:47

None of our > 300 MI Core customers is using G-Suite. Only a bunch of MI Cloud customers does, perhaps 2-3%. Likely an EMEA specific phenomena ;-)

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-12 22:33:18

SMB mainly, only a few enterprise level I've ever seen.

NicolasR (raison_nicolas@me.com)
2018-06-12 22:35:10

2 of our MI customers (large enterprises) Less than 5% of our install base

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-12 22:37:18

As of January 2017, Google has 3 million businesses paying for G Suite,[77][78] while it has 70 million G Suite for Education users

😳 Woody
Damian (support@expertmobilite.com)
2018-06-13 09:44:56

I know the Airbus group is migrating from Exchange to G-Suite and they are massive

👀 Woody
Jason (jasonh@bridgeway.co.uk)
2018-06-13 09:46:46

A few of our customers, small and large, are G-Suite users. We’re mid-migration ourselves too.

Jason (jasonh@bridgeway.co.uk)
2018-06-13 09:47:18

That said, the majority are still either live, moving or planning to move to O365.

Jason Bayton (jason@bayton.org)
2018-06-13 10:35:42

We've got a few GSuite customers, but the company just brought on a microsoft consultant so that really says enough I think.

Mark Vonk (mark.vonk@dahvo.com)
2018-06-13 11:23:30

Move to Office365 mainly for our customers. Only one large (5500 devices) moved to Google. Still on MI and using the specific Core and Sentry functions for Google apps (like google password set by Core for Activesync through Sentry)

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-13 11:26:17

Frankly the lack of activesync support makes gsuite a no goer if you want to use native apps like iOS mail.

Jason Bayton (jason@bayton.org)
2018-06-13 11:51:38

G Suite does ActiveSync.. m.google.com

Mark Vonk (mark.vonk@dahvo.com)
2018-06-13 12:02:16

Indeed, G Suite does offer ActiveSync. ActiveSync has only been removed for free Gmail accounts.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-13 12:02:39

Fair enough... Never really played with it, thanks for the info

Jason Bayton (jason@bayton.org)
2018-06-13 12:22:53

*Thread Reply:* He says after making an authoritative statement on lack of support: "oh but I've never touched it" 😋

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-13 12:32:18

*Thread Reply:* I use it day in day out for my personal mail hosting, just never managed to find full activesync support despite looking.

Jason Bayton (jason@bayton.org)
2018-06-13 12:45:46

*Thread Reply:* It's G Suite basic and above only. They've got docs covering it 👍

NicolasR (raison_nicolas@me.com)
2018-06-13 12:17:42

Gsuite can be configured with native iOS mail and adding MI Access or Workspace One to manage access control does the job

NicolasR (raison_nicolas@me.com)
2018-06-13 12:18:01

For Core you need to upload a custom iOS profile but it works

Jonathan Henson (jon@1fixpc.com)
2018-06-14 21:16:13

So, strangely two of our Cores are no longer syncing with DEP but three are syncing without problems. We've reached out to our program agent. Waiting to hear back if she is prompted to agree to new terms of service. Seems unlikely since some of the cores aren't having issues and we haven't switched over to Apple Business Manager.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-06-14 21:22:39

I'd say it points to the sync service on the core then, but odd it's happening to two at the same time?

The cert hasn't expired has it?

aaron (aaron@groundctl.com)
2018-06-14 21:25:44

Oddly, our hosted AirWatch server also stopped syncing with DEP/ABM.

aaron (aaron@groundctl.com)
2018-06-14 21:26:10

Just now

Jonathan Henson (jon@1fixpc.com)
2018-06-14 21:32:29

Odd indeed. Nothing expired that I can see. DEP tokens on those Cores are good until December.

aaron (aaron@groundctl.com)
2018-06-14 21:36:05

Apple says everything is perfect.

aaron (aaron@groundctl.com)
2018-06-14 21:36:07

@aaron uploaded a file: image.png

Jonathan Henson (jon@1fixpc.com)
2018-06-14 21:45:39

Could be a coincidence. Mind if I name drop you as having the same issue in my Apple case @aaron?

aaron (aaron@groundctl.com)
2018-06-14 21:46:50

Be my guest. Not sure how far that will get you though!

Jonathan Henson (jon@1fixpc.com)
2018-06-14 21:48:06

lol. I'm engaging Apple and MobileIron to cover all bases.

macbentosh (benbergthold@gmail.com)
2018-06-14 22:43:36

I am having dep issues too

Jonathan Henson (jon@1fixpc.com)
2018-06-14 23:31:03

Just received an update from Apple.

Jonathan Henson (jon@1fixpc.com)
2018-06-14 23:31:33

Subject: [EXTERNAL] Re: [20000003660361] DEP is not syncing to two of five MobileIron servers

Hello Jonathan,

Thank you for your escalation. Apple is aware of an issue that is likely causing your reported symptoms. I will add your impact to the existing ticket and will let you know as soon as I have an update. As always, if you have any other questions or information about this issue, please let me know.

Kind regards,

Daniel Angri AppleCare Enterprise Customer Support Engineering

Jonathan Henson (jon@1fixpc.com)
2018-06-14 23:57:45

We are back in business now. Both Cores synced up. Must have been an Apple thing.

👏 Woody
andrea (andrea@groundctl.com)
2018-06-20 16:35:24

@andrea has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2018-06-26 18:47:12

Anyone @here have to tweak timeout values on the MI Sentry when using on-prem Exchange ActiveSync? I'm seeing a fair number of timeouts for Sync events but haven't been able to nail anything down as a root cause. Users are reporting intermittent calendar sync issues, resync, etc. We've already worked on persistence & timeout values for the load balancers, fw, etc.

Kiran Patel (kiran@kiranpatel.net)
2018-06-26 18:47:41

*Thread Reply:* to clarify by timeout i mean specifically AlertID HTTP503

Kiran Patel (kiran@kiranpatel.net)
2018-06-26 18:48:03

*Thread Reply:* (AlertOrigin=Sentry, AlertId=HTTP503) Got exception during server-to-device processing, Sentry reporting error to client:Write timed out

Kiran Patel (kiran@kiranpatel.net)
2018-06-26 18:48:14

*Thread Reply:* (AlertOrigin=Sentry, AlertId=HTTP503) Got exception during device-to-server processing, Sentry reporting error to client:java.net.SocketTimeoutException: Read timed out

Woody (eric.woodland@trust.tc)
2018-06-26 18:54:53

*Thread Reply:* The only timeout tweaks I require adding were when proxying out to O365 (since there was obviously going to be some latency there)

Woody (eric.woodland@trust.tc)
2018-06-26 19:02:26

*Thread Reply:* Anything on-premise (with 2+ CAS) always did fine with the defaults

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-28 01:08:15

*Thread Reply:* Hi Kiran, You can up those but id consider checking in with support if your running into issues after you up the timeout values. I usually try doubling the defaults for an issue like that and see if it helps.

Alex Mercer (alexandra.e.mercer@gmail.com)
2018-06-28 01:08:33

*Thread Reply:* i.e 30000 to 60000 and 60000 to 1200000

Fabian (mobilxperts@neokortex.de)
2018-07-01 22:12:32

*Thread Reply:* Have all network infrastructure in between allowing tcp idle timeouts of 1800s (MS recommendation). Other values work, but have to be consistent across all infrastructure.

Fabian (mobilxperts@neokortex.de)
2018-07-01 22:16:05

*Thread Reply:* The 503 in general is normal behavior. E.g. an IBM Traveler would report a 408 conflict to devices. When a device is waiting for an update notification in a ping command, this connection stays open until the server responds or the tcp idle timeout is exceeded. However, if the device user does for instance do a contact lookup or whatever eas command, the existing ping command connection will be dropped by the eas server. This is translated to 503 by Sentry. Once the device‘s needs are fulfilled, it will issue a new ping command.

Fabian (mobilxperts@neokortex.de)
2018-07-01 22:16:26

*Thread Reply:* 503 can have other causes, but in general it is normal behavior.

Woody (eric.woodland@trust.tc)
2018-07-02 19:21:20

*Thread Reply:* I concur @Fabian, they do seem to be the accepted norm in this regard

Kiran Patel (kiran@kiranpatel.net)
2018-07-02 19:47:41

*Thread Reply:* thanks everyone for the feedback on this. Appreciate it!

Jason Bayton (jason@bayton.org)
2018-06-28 10:13:47

So, err..

The upgrade to Core 10.0.0.1 has stopped my Android devices from being able to check in.

@here fyi

Jason Bayton (jason@bayton.org)
2018-06-28 10:14:34

Everything is fine here..

Jason Bayton (jason@bayton.org)
2018-06-28 10:15:10

@Jason Bayton uploaded a file: image

Jason Bayton (jason@bayton.org)
2018-06-28 16:21:05

C2DM was a red herring, no idea why that’s still erroring. Seems rebooting the devices is bringing them back, but I’d hate to need to tell 4,000 users to do that..

Russell Mohr (rmohr@mobileiron.com)
2018-06-28 21:07:02

What version of M@W client were you using?

Russell Mohr (rmohr@mobileiron.com)
2018-06-28 21:07:39

10.0 client is rolling out in stages right now

Jason Bayton (jason@bayton.org)
2018-06-28 21:45:42

9.7.x, since it isn't out for me yet

Jason Bayton (jason@bayton.org)
2018-06-29 17:51:24

Core upgrade was a red herring, had a P1 this afternoon with a customer still on 9.6.x - exact same issue. Spoke with eng who have an outage for GCM over the weekend which may resolve this.

RobE (robert.kreuzer@outlook.com)
2018-07-04 17:59:52

Email+ for iOS: does anyone know if it is possible to prevent certain outlook folders from syncing into email+? Since there are no KVP in the guide my answer would be NO!

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-07-04 18:31:06

My guess would be you could only do that via exchange policy.

💯 Woody, RobE
Jason Bayton (jason@bayton.org)
2018-07-04 18:32:11

GCM work resolved checkins, everything is back to normal. 10.0.0.1 seems alright

✅ Woody, RobE
Gerben Camp (gcamp@mobileiron.com)
2018-07-04 22:04:13

@Gerben Camp has joined the channel

thebjohn (brandonjohnson518@gmail.com)
2018-07-06 14:48:49

Well ladies and gents, I was offered a position working in the Connected Vehicle space, and will be moving on from working in the EMM/MDM space at my organization.

Jason (jasonh@bridgeway.co.uk)
2018-07-06 19:10:10

*Thread Reply:* All the best in your new role!

LT (leszek@mobileiron.com)
2018-07-06 14:54:37

@LT has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-07-06 19:10:22

Was anyone able to configure open in for .pkpass files (wallet) for Email+? Configured a whitelist for wallet within the container policy and appconnect policy, but still no option for wallet. Any ideas?

RobE (robert.kreuzer@outlook.com)
2018-07-06 19:15:26
Raul (rnadal@mobileiron.com)
2018-07-08 14:11:52

@Raul has joined the channel

dmilesau (darryl_miles@hotmail.com)
2018-07-11 09:54:00

@dmilesau has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-07-12 17:36:54

Interesting use case for you guys regarding GDPR compliance on iOS: we all know that it is possible to disable the contact sync within iOS Email+. BUT: I have a couple of smart users who started to bulk sync the business Outlook contacts with iTunes and then sync them with iTunes back to the device. I am thinking about a way to prevent that, but was not able to find any restrictions for iTunes sync. Of course one could also argue that the next step would be preventing users from creating these contacts manually! I think there is no suitable solution for this. How do you handle this in your company?

Jason Bayton (jason@bayton.org)
2018-07-12 18:20:40

Do you allow iCloud and physical connections to other hosts? I guess if they're corp devices I'd block those.

RobE (robert.kreuzer@outlook.com)
2018-07-12 18:24:45

iCloud is disabled, but users are able to connect the device with iTunes on their Windows desktop clients to create backup. Is there a setting in the restriction that prevents the device to physically connect to a host?

Jason Bayton (jason@bayton.org)
2018-07-12 18:25:08

Yes

RobE (robert.kreuzer@outlook.com)
2018-07-12 18:27:20

Only within the AC2 or also within the restriction on Core? But if you block the connection to hosts, how do you deal with backups?

Jason Bayton (jason@bayton.org)
2018-07-12 18:29:31

Core for supervised devices. Would block backups also.

RobE (robert.kreuzer@outlook.com)
2018-07-12 18:34:16

Thanks Jason, I missed this one. Whats the main reason why you would block backups? Backups from non supervised devices erasing the supervised mode? Never had any issues with data loss?

RobE (robert.kreuzer@outlook.com)
2018-07-12 18:35:47

I am not sure how to argue that backups are not allowed because they will be needed at one point, don‘t you think?

Jason Bayton (jason@bayton.org)
2018-07-12 18:41:53

AFAIK you can only restore iCloud backups to a DEP device so that setting to me is more about security.

You've got the justification you need as soon as you mention GDPR I guess 😅

Up to you what you do, but that will sort your contact issues even if only used as a punishment for those you find doing it eh!

macbentosh (benbergthold@gmail.com)
2018-07-13 17:40:09

@macbentosh uploaded a file: GDPRmeme-7.gif

2018-07-13 18:07:14

A file was commented on

macbentosh (benbergthold@gmail.com)
2018-07-13 18:07:47

@macbentosh uploaded a file: GDPRMeme-4.png

2018-07-13 18:27:56

A file was commented on

Woody (eric.woodland@trust.tc)
2018-07-13 19:35:13

@here anyone recently dealt with Access and MacOS? Have the device managed, tunnel deployed, etc. I get to the Access URL, Tunnel engages and then the session basically stalls-out. Works perfectly on the same service on iOS.

macbentosh (benbergthold@gmail.com)
2018-07-13 19:52:32

what OS?

Woody (eric.woodland@trust.tc)
2018-07-13 20:31:57

MacOS

macbentosh (benbergthold@gmail.com)
2018-07-13 21:17:33

@Woody

Woody (eric.woodland@trust.tc)
2018-07-13 21:22:43

Really, @macbentosh. Really

Woody (eric.woodland@trust.tc)
2018-07-13 21:23:14

Just heard from MI. MacOS is not yet certified for this, but they’re working on it.

macbentosh (benbergthold@gmail.com)
2018-07-13 21:23:20

what version

Woody (eric.woodland@trust.tc)
2018-07-13 21:23:38

MacOS Most.Recent.Version

Woody (eric.woodland@trust.tc)
2018-07-13 21:23:48

10.13.5

macbentosh (benbergthold@gmail.com)
2018-07-13 21:23:50

10.13.6?

macbentosh (benbergthold@gmail.com)
2018-07-13 21:23:55

see you lie!!

macbentosh (benbergthold@gmail.com)
2018-07-13 21:24:18

are you suppressing kernel extension prompts?

Woody (eric.woodland@trust.tc)
2018-07-13 21:24:52

Actually, it is .6 on my test machine

Woody (eric.woodland@trust.tc)
2018-07-13 21:24:56

.5 on my MBP

Woody (eric.woodland@trust.tc)
2018-07-13 21:25:15

BTW, that AirPlay2 is dope on Sonos 🙂

macbentosh (benbergthold@gmail.com)
2018-07-13 21:25:22

lol

Woody (eric.woodland@trust.tc)
2018-07-13 21:27:00

Very much so

Woody (eric.woodland@trust.tc)
2018-07-13 21:27:14

One long @ss week

NicolasR (raison_nicolas@me.com)
2018-07-13 22:31:53

Hi @Woody Yes tested but the version that doesn’t do Per-App VPN. It did work with Safari. To have Per-App VPN I think Core 9.7 is required

👍 Woody
Woody (eric.woodland@trust.tc)
2018-07-13 23:40:44

I’m on 10.0.1. Will do some more testing tonight and see what I can get @NicolasR!

👍 NicolasR, Duncan
:mobileiron_logo: NicolasR, Duncan
Steffen Schwab (sschwab@mobileiron.com)
2018-07-16 14:57:01

@Steffen Schwab has joined the channel

Woody (eric.woodland@trust.tc)
2018-07-18 15:13:47

Welcome, @Steffen Schwab! Long time, no speak

Steffen Schwab (sschwab@mobileiron.com)
2018-07-19 07:38:30

*Thread Reply:* Thanks @Woody, true! how are you?

Woody (eric.woodland@trust.tc)
2018-07-18 15:37:00

Anyone have a favorite app that’s compatible with Android Enterprise/Tunnel’s Always on VPN?

Russell Mohr (rmohr@mobileiron.com)
2018-07-18 15:44:15

Latest MobileIron blog post on Apple Business Manager

👍:skin_tone_3: Preetham Guram, RobE, Kiran Patel
RobE (robert.kreuzer@outlook.com)
2018-07-19 18:22:06

Does anyone know if the caller id resolution within iOS will also work for Email+ contacts (sync disabled) with bluetooth devices like car hands-free system - can‘t test it, but I doubt it!

Woody (eric.woodland@trust.tc)
2018-07-19 18:42:34

@RobE I can’t see how it would, if the sync and subsequent data wasn’t being offered-up to the OS/Phone app

RobE (robert.kreuzer@outlook.com)
2018-07-19 19:11:20

Yes, I would agree. Although the caller-API is used to have the name resolution work for the phone app without the email+ contacts within the native contacts!

RobE (robert.kreuzer@outlook.com)
2018-07-19 19:13:05

Any idea if that is supported with Email+ for Android Enterprise Work Profile devices? I think the contact sync has to be enabled though!

Woody (eric.woodland@trust.tc)
2018-07-19 19:14:06

In my early demos, I think that worked @RobE. I might have a video on it

RobE (robert.kreuzer@outlook.com)
2018-07-19 19:15:24

Oh cool, If you find it let me know! 😊👊:skintone2:

Woody (eric.woodland@trust.tc)
2018-07-19 19:19:11

Here’s what I had with Email+ in AE back from 4/2017

Woody (eric.woodland@trust.tc)
2018-07-19 19:19:38

@Woody uploaded a file: image

Woody (eric.woodland@trust.tc)
2018-07-19 19:19:57
Woody (eric.woodland@trust.tc)
2018-07-19 19:20:04
Woody (eric.woodland@trust.tc)
2018-07-19 19:20:13
Woody (eric.woodland@trust.tc)
2018-07-19 19:20:30

That was on a device that was fresh and had no native/personal contacts established

RobE (robert.kreuzer@outlook.com)
2018-07-19 19:26:28

Cool, thanks! So if you are connected via bluetooth, the device is able to grab the contacts for resolution, right?

Jason Bayton (jason@bayton.org)
2018-07-19 19:28:41

Hiiiiii

There's an outstanding bug that prevents contacts from showing up on Bluetooth car kits. It's an Android issue going on a long time now. Doesn't matter where contacts are (app wise), they can't get out of the work profile.

RobE (robert.kreuzer@outlook.com)
2018-07-19 19:36:28

Oh thats too bad! Thanks @Jason Bayton any progress in sight? 😂

Jason Bayton (jason@bayton.org)
2018-07-19 19:37:16

If you want to test it, replicate it and grab logs, every little helps towards a solution!

Woody (eric.woodland@trust.tc)
2018-07-19 19:45:04

Oh noes! So close, LoL

Jason Bayton (jason@bayton.org)
2018-07-19 19:46:00

It does look like I swooped in last minute to piss on Rob's chips tbh 😂

Woody (eric.woodland@trust.tc)
2018-07-19 19:46:27

Better to have the pissing in a back channel than on-site with a customer testing it out

Woody (eric.woodland@trust.tc)
2018-07-19 19:46:31

Hehe

Jason Bayton (jason@bayton.org)
2018-07-19 19:46:56

How do you think I became aware of said bug? 😅

RobE (robert.kreuzer@outlook.com)
2018-07-19 19:51:27

You are right guys, made my day! 😂

👍 Woody
RobE (robert.kreuzer@outlook.com)
2018-07-19 19:52:18

I will pull some logs and drop them off at Google HQ in person! Might need some backup! 👌😀

Mark Vonk (mark.vonk@dahvo.com)
2018-07-19 20:19:28

@Jason Bayton is correct. Does not work unfortunately, but was designed to work that way. Google is aware of the issue and noted to me that it should have been fixed in Nougat but even after that fix reports of the issue continued to be sent to Google. As far as I know this is still an outstanding issue.

Jason Bayton (jason@bayton.org)
2018-07-19 20:20:32

See you there! I camp out front regularly 😋

Mark last I asked they are looking for more logs. I'm going to see if I can replicate on the new motor but every bit helps!

Mark Vonk (mark.vonk@dahvo.com)
2018-07-19 20:21:55

Will ask Antonio if they need any logs and info from me. I am able to reproduce it pretty easily with my devices and car.

Jason Bayton (jason@bayton.org)
2018-07-19 20:37:45

I don't think Antonio is clued in on it. Ping Kevin if you know him, or I can collect them from you

macbentosh (benbergthold@gmail.com)
2018-07-19 21:32:42

How can MI do a auto enrollment. Turn on the device and have it auto setup as a user

macbentosh (benbergthold@gmail.com)
2018-07-19 21:32:46

is it pin?

macbentosh (benbergthold@gmail.com)
2018-07-19 21:32:51

How does Pin work?

Jason Bayton (jason@bayton.org)
2018-07-20 16:04:01

Sanity check please - - when distributing VPP apps, do you set BOTH the VPP label and the normal label, or remove the normal label and only use the VPP label?

Jason Bayton (jason@bayton.org)
2018-07-20 16:16:17

@here 🙂

Mark Vonk (mark.vonk@dahvo.com)
2018-07-20 16:34:58

Only VPP label.

Jason Bayton (jason@bayton.org)
2018-07-20 16:36:00

Thank you, I'd been arguing this over a P1 earlier today!

Jason Bayton (jason@bayton.org)
2018-07-20 16:37:27

If you push both label types, there's no guarantee the user won't be prompted for an iTunes account

Mark Vonk (mark.vonk@dahvo.com)
2018-07-20 16:38:24

Correct. It does not have a mechanism to choose one above the other. But the documentation is very clear:

Mark Vonk (mark.vonk@dahvo.com)
2018-07-20 16:38:39

You must apply a VPP app to a VPP label. Licenses can be used only by devices that are applied to a VPP label. Devices that are only applied to non-VPP labels cannot redeem a VPP license. These devices are redirected to the Apple App Store to purchase the app.

Jason Bayton (jason@bayton.org)
2018-07-20 16:39:40

Well see that isn't super clear. Because that doesn't state authoritatively that you only use the VPP label and remove the "normal" app dist label

Mark Vonk (mark.vonk@dahvo.com)
2018-07-20 16:39:43

Well… “very clear” is bit much 🙂

Mark Vonk (mark.vonk@dahvo.com)
2018-07-20 16:40:28

sorry; indeed not very clear. It’s clear that you have to apply the VPP label. Not clear: you need to remove the default (app level) label

Mark Vonk (mark.vonk@dahvo.com)
2018-07-20 16:41:52

Have the same experience: it you apply both, you sometimes get prompted to “buy” the app yourself in the appstore (or comparable AppStore screens if the App is actually free).

Jason Bayton (jason@bayton.org)
2018-07-20 16:43:47

yes, good, thank you. I'm glad I've got that confirmed once and for all.

Jason Bayton (jason@bayton.org)
2018-07-20 16:44:09

🙂

Woody (eric.woodland@trust.tc)
2018-07-20 17:08:07

I’ll agree on this, that was clear as mud. For the longest time I added both labels and it just never made sense as to “why”

Jason Bayton (jason@bayton.org)
2018-07-20 17:18:28

That's not comforting coming from a former mi guy

Jason Bayton (jason@bayton.org)
2018-07-20 17:19:00

😄

Jason Bayton (jason@bayton.org)
2018-07-20 17:20:23

When did you start doing it right @Woody? 😅

Woody (eric.woodland@trust.tc)
2018-07-20 17:26:41

I actually came into it not using both, then read the document advocating to check both… then found it was annoying and reverted back to the former behavior.

Jason Bayton (jason@bayton.org)
2018-07-20 17:30:19

Does supervision make any difference to this? I know VPP doesn't require supervision, but there's no way the two labels would be required when devices aren't supervised.. right?

Woody (eric.woodland@trust.tc)
2018-07-20 17:35:11

I can’t see how it would. However, it’s Friday AM and I’m running on 4 hours of sleep

😂 RobE
Jason Bayton (jason@bayton.org)
2018-07-20 17:36:55

Hmm .. @Alex Mercer or @Russell Mohr?

👍 RobE
Mark Vonk (mark.vonk@dahvo.com)
2018-07-20 18:54:34

I do believe at some point with some Core version you had to use both labels otherwise app distribution was intermittent. I think Core 9.1 or 9.0 or so, but was soon fixed. Maybe that sparked the ‘controversy’ and made it unclear

👍 Woody, Jason Bayton
Jason Bayton (jason@bayton.org)
2018-07-31 12:24:07

*Thread Reply:* I got an official response 😞

https://community.mobileiron.com/docs/DOC-6202

Mark Vonk (mark.vonk@dahvo.com)
2018-07-31 17:28:54

*Thread Reply:* Good to know, it seems the bug was never fixed…

Jason Bayton (jason@bayton.org)
2018-07-31 17:29:42

*Thread Reply:* Certainly not to date..

Jesse Sedler (jesse.sedler@ibm.com)
2018-07-20 21:28:12

@Jesse Sedler has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-07-21 06:10:16

How do you guys handle the classic ActiveSync publishing topic - it should only be possible to use ActiveSync through MobileIron, but a lot of customers still publish ActiveSync through Exchange. Lets drop a couple of possible solutions: a.) IP restriction on Exchange IIS so that only Sentry is allowed, but you have to move the ActiveSync directory out of the default website, otherwise Webmail access would fail. b.) ADFS Claim Rules?? c.) Rules on a load balancer?? d.) Re-Configure the Virtual Directory for ActiveSync?? c.) KCD for ActiveSync only, no basic auth possible so users will need to be enrolled in MobileIron to get a user certificate ..How do you guys solve this?

Mark Vonk (mark.vonk@dahvo.com)
2018-07-21 09:40:56

Depends on the customer and requirements. Most of our customers do not publish ActiveSync or better yet, OWA, anyway. So by default already, The Sentry is the only option. If OWA is available publicly, we typically advise to put either an IP block on IIS or if available some smarter solution with the firewall or Loadbalancer to block the /Microsoft-server-ActiveSync virtual dir.

👍 Jason Bayton, RobE
Mark Vonk (mark.vonk@dahvo.com)
2018-07-21 09:45:26

But we seen a lot worse: where ActiveSync even after years of MDM usage, is still available publicly... with hundreds or thousands of directly connecting devices. But at least, it is a known risk and liability as we warned them. Indecision, low level of security awareness, power to enforce it, or not wanting to bother end-users are typically to blame. Sometimes though direct ActiveSync is for BYOD and MDM access only for corporate devices.

Mark Vonk (mark.vonk@dahvo.com)
2018-07-21 09:48:00

ADFS is not always an option because not available. Certificate auth. neither. But all are good solutions. I do not think one is necessarily better than the other.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-07-21 09:48:03

Does MI not have powershell abilities to block off access to devices which aren't enrolled?

Mark Vonk (mark.vonk@dahvo.com)
2018-07-21 09:48:55

Yes, with the Integrated Sentry. The default is a standalone Sentry, which is like a reverse proxy and is part of the ActiveSync communication flow.

RobE (robert.kreuzer@outlook.com)
2018-07-21 12:59:07

*Thread Reply:* Agree, never used it though!

Mark Vonk (mark.vonk@dahvo.com)
2018-07-21 09:51:14

Main setback of that solution, imho, is the fact it takes some time before the device is blocked on the exchange level (sync time delay between Sentry and Exchange) and the user already received some mail. Or you need to block all users by default and then wait for the power shell command to kick in and allow the device. The latter creates a delay in initially receiving mail.

👍 RobE
RobE (robert.kreuzer@outlook.com)
2018-07-21 12:56:47

*Thread Reply:* But if the users connect directly to the Exchange server FQDN why would that matter?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-07-21 09:52:30

Normally unless you need any of the extra functions of the sentry I'd just go with the flow and use powershell.

Can't comment on MI in powershell config (only deployed it with full sentry) but Airwatch in that config releases the mailbox block within 90 seconds or so.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-07-21 09:53:07

Default activesync rule to block all, and use powershell to release it

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-07-21 09:53:43

Especially with office 365, I don't see any real issues unless you need the attachment removal etc

Mark Vonk (mark.vonk@dahvo.com)
2018-07-21 09:55:40

Because the Standalone Sentry can be used for (app)tunneling also, it’s for us the default option. Not sure right now, but previously you could not change the sync time on the integrated Sentry and it was set to 15 minutes or so. With Office365 you might not even need a Sentry at all, for example with client cert auth.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-07-21 09:56:31

Yes app tunnelling i get, good use case.

RobE (robert.kreuzer@outlook.com)
2018-07-21 21:03:00

Any of you guys use Access for On-Premise applications?

Jason Bayton (jason@bayton.org)
2018-07-21 21:17:48

Yes @RobE. A Nextcloud install.

RobE (robert.kreuzer@outlook.com)
2018-07-22 08:40:15

The On-Premise application needs to support SAML before hand e.g must be integrated for example with ADFS before Access comes into play, right?

Jason Bayton (jason@bayton.org)
2018-07-22 08:52:45

I migrated it from Okta to Okta via Access, but no reason you can't do it all in one go on a vanilla install. It's a good idea to test it works with the IDP before switching to Access though, easier to troubleshoot setup issues ;)

RobE (robert.kreuzer@outlook.com)
2018-07-22 09:15:57

Ok what I know so far is that ADFS is in place, but no On-Premise application uses it. Therefore the plan should be to publish the internal webiste via WAP to use ADFS before talking about Access SSO! 😊

NicolasR (raison_nicolas@me.com)
2018-07-23 14:20:35

hey @here who is responsible of publishing the AppConfig XML to the appconfig community server?

NicolasR (raison_nicolas@me.com)
2018-07-23 14:20:46

Lookout for Work is not in that list yet

NicolasR (raison_nicolas@me.com)
2018-07-23 14:20:56

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>MDM</key> <string>MOBILEIRON</string> <key>DEVICEUDID</key> <string>$DEVICEUDID$</string> <key>EMAIL</key> <string>$EMAIL$</string> <key>GLOBALENROLLMENTCODE</key> <string>REPLACE THIS WITH YOUR GLOBAL ENROLLMENT CODE</string> </dict> </plist>

Tobias (tobias.gruenewald@ebf.com)
2018-07-23 14:24:40

@Russell Mohr was able to find someone within MI to publish the Outlook Specfile I created. The file you posted is the iOS managed app config plist. This needs to be translated into an AppConfig XML specfile (containing types, possible values, constraints, field descriptions and maybe also localized strings) first before it can be published.

NicolasR (raison_nicolas@me.com)
2018-07-23 15:59:40

thanks @Tobias

macbentosh (benbergthold@gmail.com)
2018-07-23 21:11:04

Anyone delivering vocera with mobileiron?

aaron (aaron@groundctl.com)
2018-07-23 23:01:14

*Thread Reply:* I’ve helped some folks do that.

macbentosh (benbergthold@gmail.com)
2018-07-23 23:24:35

*Thread Reply:* I want to push it configured

macbentosh (benbergthold@gmail.com)
2018-07-23 23:24:41

*Thread Reply:* like a app config

aaron (aaron@groundctl.com)
2018-07-23 23:25:35

*Thread Reply:* But it doesn’t support app Config, iirc.

aaron (aaron@groundctl.com)
2018-07-23 23:27:02

*Thread Reply:* If you want to set the server endpoint automatically, I’m pretty sure GroundControl can set it via a one to many backup/restore.

macbentosh (benbergthold@gmail.com)
2018-07-23 23:32:29

*Thread Reply:* and without GC?

aaron (aaron@groundctl.com)
2018-07-23 23:32:56

*Thread Reply:* No experience there, unsurprisingly

macbentosh (benbergthold@gmail.com)
2018-07-23 23:33:02

*Thread Reply:* nvm just read the message before that

aaron (aaron@groundctl.com)
2018-07-23 23:33:28

*Thread Reply:* I’d imagine they have to install appconfig at some point.

aaron (aaron@groundctl.com)
2018-07-23 23:33:57

*Thread Reply:* Their competitors do.

RobE (robert.kreuzer@outlook.com)
2018-07-24 13:14:12

Regarding Exchange config on Core - I have checked only Calendar in the Exchange config since I only want Calendar sync to be enabled for a specific mailbox on the device, but that setting does not have an effect on iOS Mail - Mail, Tasks, and Contacts are also enabled! Any idea why?

Mark Vonk (mark.vonk@dahvo.com)
2018-07-24 13:15:01

This setting is not for iOS

Mark Vonk (mark.vonk@dahvo.com)
2018-07-24 13:18:07

There is no option in the Exchange configuration profile to specify which ActiveSync feature should be enabled or not. The option is still on the Core Exchange config, as I believe it could optionally be configured for some other platform, like older Windows Mobile devices.

👍 RobE
RobE (robert.kreuzer@outlook.com)
2018-07-24 13:19:47

Had a feeling this was for Windows legacy tombstones! 😊 thanks!

macbentosh (benbergthold@gmail.com)
2018-07-25 19:00:53

Can MI turn on airplane mode and enable wifi only on a phone?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-07-25 19:05:46

*Thread Reply:* I’m not aware that any MDM that has that capability. What platform are you looking at?

RobE (robert.kreuzer@outlook.com)
2018-07-26 12:38:02

*Thread Reply:* Agree, not possible

onires53 (jason.r.serino@gmail.com)
2018-07-26 19:17:57

@channel Does anyone know if it is possible to disable access the Apps@Work on iOS and Android? We have a use case were all we want to do is limit camera functionality (no MAM, no Email, etc.). I'm not sure if that is possible.

macbentosh (benbergthold@gmail.com)
2018-07-26 19:18:27

Do a blacklist with com.apple.webapp

NicolasR (raison_nicolas@me.com)
2018-07-26 19:18:49

Just don’t deploy the SCEP on iOS

NicolasR (raison_nicolas@me.com)
2018-07-26 19:19:47

For Android is a bit tricky, in Android Enterprise it should be possible via device owner mode

onires53 (jason.r.serino@gmail.com)
2018-07-26 19:22:26

@NicolasR unfortunately we haven't deployed AE yet. This is were additional features around device space would be most helpful. To be able to setup a device space and have a check box to allow MAM functionality for that space would be AWESOME!

macbentosh (benbergthold@gmail.com)
2018-07-26 19:22:47

on prem?

macbentosh (benbergthold@gmail.com)
2018-07-26 19:22:59

youll need a second core for MAM

NicolasR (raison_nicolas@me.com)
2018-07-26 19:29:44

*Thread Reply:* Not for Android ;-)

onires53 (jason.r.serino@gmail.com)
2018-07-26 19:25:24

@macbentosh yes. On prem. We only want to lock down the camera and that is it. No application management or app hosting, no email, etc.

macbentosh (benbergthold@gmail.com)
2018-07-26 19:26:27

remove the iOS label from system-ios enterprise appstore

onires53 (jason.r.serino@gmail.com)
2018-07-26 19:28:01

Yeah. We are looking at that but unfortunately, as Nicolas mentioned, Android is the main issue. 😔

Jason Bayton (jason@bayton.org)
2018-07-27 10:38:07

Android is rubbish anyway. Migrate everyone to iOS.

😂

I haven't seen the capability to remove A@W from Android, it has sat empty on a lot of legacy devices in the past!

Mark Vonk (mark.vonk@dahvo.com)
2018-07-27 10:42:54

@onires53 Can you expand on the use-case? I am not sure what you are trying to achieve, maybe there is another way.

Barrie Codona (barrie.codona@hotmail.com)
2018-07-27 12:26:07

The Apps@Work functionality is built into the Mobile@Work app. How about just not applying any labels that are associated with these devices/users to your Android apps - then Apps@Work is empty for these devices/users?

👍 Mark Vonk, NicolasR
onires53 (jason.r.serino@gmail.com)
2018-07-28 00:08:14

We have the need to block camera access in order to allow some employees the security approval to bring their BYO devices into classified areas. That is all we want to do and it would be indefinitely, unless they decided not to bring the device to work. So with that said, we don't want email or MAM functionality just Android lockdown and iOS restriction for camera disablement. @Barrie Codona that was the other idea. I think we are just going to have go down that road (ie remove the apps from their labels).

Jason Bayton (jason@bayton.org)
2018-07-31 12:47:35

Technically however, it should only be required to apply VPP, and not the app label.

✅ Woody
NicolasR (raison_nicolas@me.com)
2018-08-02 21:19:43

As always Nomasis share great tools! https://download.nomasis.ch/produkte/MobileIron/JSON-Android-Enterprise/

:the_horns: Woody, RobE, Alex Chappuis
Woody (eric.woodland@trust.tc)
2018-08-02 21:34:10

Nice find. @NicolasR!

RobE (robert.kreuzer@outlook.com)
2018-08-02 22:21:52

Guys, did anyone try to publish Core and AppTunnel Sentry with one IP address via Microsoft ADFS Web Application Proxy? It seems that the proxy is throwing away the user certificates for AppTunnel authentication so the SSL handshake fails and I can‘t find a fix for that. Any ideas?

NicolasR (raison_nicolas@me.com)
2018-08-02 22:36:10

Not possible by design of client cert authentication

NicolasR (raison_nicolas@me.com)
2018-08-02 22:36:30

To route the requests a reverse proxy needs to decrypt and therefore brake the SSL session

NicolasR (raison_nicolas@me.com)
2018-08-02 22:36:52

This is why Client Cert auth is Secure: MITM is not possible ;-)

👍 Woody
NicolasR (raison_nicolas@me.com)
2018-08-02 22:37:45

(Unless you have the private key to reencrypt... but of course you don’t usually have this at a reverse proxy level)

👍 Woody
Fabian (mobilxperts@neokortex.de)
2018-08-08 13:26:45

*Thread Reply:* F5 offers such TLS MITM when using RSA ciphers. But it does not work with PFS (DHE, ECDHE, etc.).

RobE (robert.kreuzer@outlook.com)
2018-08-03 04:31:54

Thanks for your input @NicolasR . That is not so good news. Since I currently have only one externa IP address for all MobileIron services, I thought with SNI that this would be possible with the WAP. Any other ideas to solve this with only one IP? I am assuming the same issue would persist with the use of a load balancer like KEMP.

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-08-03 08:51:32

@Alex Chappuis has joined the channel

Jason Bayton (jason@bayton.org)
2018-08-03 14:38:58

I push Core, App Sentry (Tunnel) and Email Sentry through one IP via HAProxy on my lab. HAProxy routes based on SNI, and I’ve had zero problems to date.. but it’s not Microsoft @RobE.

Matthias Eberle (meberle@mobileiron.com)
2018-08-03 15:01:55

@Matthias Eberle has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-08-03 17:00:22

Great tip as usual @Jason Bayton 🙏👍:skintone2: no worries, I am not married to Microsoft anyway! 😂 I will give it a try, thanks!

Woody (eric.woodland@trust.tc)
2018-08-03 17:03:48

@RobE I mirrored the same config @Jason Bayton has going and I can confirm that the HAProxy works using a singular public IP

👍 RobE
RobE (robert.kreuzer@outlook.com)
2018-08-03 17:53:30

Very cool, thanks @Woody ! The weekend is secured! 😊

:the_horns: Woody
Jason Bayton (jason@bayton.org)
2018-08-03 18:20:54

I lied a little bit. I don't run a core through it

Jason Bayton (jason@bayton.org)
2018-08-03 18:21:17

I run 3 cores through it

Jason Bayton (jason@bayton.org)
2018-08-03 18:21:26

😂

😂 Woody, Simon Hardy-Bistagne, Jason
RobE (robert.kreuzer@outlook.com)
2018-08-03 18:40:43

😂😂😂 why? Because you can! 😂

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-03 18:42:01

I'm just surprised its "only" 3!!

Woody (eric.woodland@trust.tc)
2018-08-03 18:44:13

That’s b/coz a single Core can manage 100k… I figure @Jason Bayton has in the ballpark of 300k devices… so the math checks out

Jason Bayton (jason@bayton.org)
2018-08-03 19:12:53

*Thread Reply:* I dock them next to my bed to charge every night (1 alarm is never enough)

Woody (eric.woodland@trust.tc)
2018-08-03 19:16:34

*Thread Reply:* LoL. You must be a deep sleeper

Jason (jasonh@bridgeway.co.uk)
2018-08-03 19:23:58

*Thread Reply:* That’s right! I recall your bedroom was filmed for a Russian TV programme recently: https://youtu.be/NXvzhYnlTU0

YouTube
} FromHereThere (https://www.youtube.com/user/FromHereThere)
😆 Woody
Woody (eric.woodland@trust.tc)
2018-08-03 18:44:29

😆

Jason Bayton (jason@bayton.org)
2018-08-03 18:51:43

I keep two on hand for when MobileIron release an update and take a core down 😋

Jason Bayton (jason@bayton.org)
2018-08-03 18:53:37

I have a lab prod, lab beta and a core I give access to developers testing their AE managed config compatible apps, and other reasons

RobE (robert.kreuzer@outlook.com)
2018-08-04 09:30:48

Could you point me towards a useful an rather easy documentation for the setup of the HAproxy. There is a lot of documentation on this and I am not really to familiar with setting that up on Linux nor do I want to spend too much time on this! 😊🙏 thanks

Jason Bayton (jason@bayton.org)
2018-08-04 10:03:00

I've shared my config for you to check :)

RobE (robert.kreuzer@outlook.com)
2018-08-04 10:14:40

Awesome, thank you Jason! 🙏👍:skintone2: 🍺

jnegron (jnegron@vmware.com)
2018-08-06 21:44:48

@jnegron has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-08-10 10:15:58

Hey guys, do you know if it is possible to pre-configure Skype For Business on iOS with the Managed App Config (plist) ? I am not sure if the app supports it - Outlook shows the option in the App Catalog to use a plist, SfB doesn’t.

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-08-10 10:47:02

As far as I know it's not possible 😕

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-08-10 10:47:26

(we did some Pointsharp integration with SFB and could only configure the Pointsharp login app, but not Skype!)

👍 RobE
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-10 10:54:58

Would love this abilty... as skype configuration is a constant issue for us. Not found an answer yet though.

RobE (robert.kreuzer@outlook.com)
2018-09-07 09:51:18

*Thread Reply:* We talked about Skype For Business, do you know if it is possible for Microsoft Sharepoint for iOS. I can‘t find any infos which app supports it in technet!

RobE (robert.kreuzer@outlook.com)
2018-08-10 12:55:13

Thanks guys!

RobE (robert.kreuzer@outlook.com)
2018-08-10 14:01:10

Another one: how do you deal with lost private key for SSL cert renewal? I would suggest keep it in a safe place in the first place. But other than that, create a new CSR from Core and Sentry? Create a new key with openssl?

Mark Vonk (mark.vonk@dahvo.com)
2018-08-10 14:08:28

Create a new CSR either from the Core or with OpenSSL (that does not matter), make sure to safely store the private key. I typically use OpenSSL as it allows for further customisation of the CSR, with the Core you are limited to what MobileIron offers by default (for example, algorithms, no option to specify SAN names, etc.) If you have lost the private key, you can typically get a new cert with a new CSR without any costs. Just ask your Certificate auth.

RobE (robert.kreuzer@outlook.com)
2018-08-10 14:39:33

Thanks @Mark Vonk 🙏 costs are clear, rather the thought that since the old cert has a different private key that the upload of a new private key would fail. But this is also clear now! 🙏

Mark Vonk (mark.vonk@dahvo.com)
2018-08-10 14:56:54

IC what u mean now. It does not matter: the Core doesn’t do anything with the private key; it doesn’t store it with the CSR. That’s why you need to supply the private key again once you upload the new certificate. You can “renew” (change) the certificate on the Core or Sentry with a certificate with a different private key. This doesn’t cause any issues.

👍 Woody
RobE (robert.kreuzer@outlook.com)
2018-08-10 16:51:14

👌 perfect! Thanks for your input 🙏

macbentosh (benbergthold@gmail.com)
2018-08-13 22:40:14

Big issue

had a user send and insatll request to all devices for an app need to know how to prove it in the logs and stop the installs from going to our devices

Woody (eric.woodland@trust.tc)
2018-08-13 23:12:02

Hmm. So the user went in and requested the same app for a bunch of his devices. From the App Storefront?

macbentosh (benbergthold@gmail.com)
2018-08-13 23:13:26

NO user went in a sent an installation request to all devices and not just a label

macbentosh (benbergthold@gmail.com)
2018-08-13 23:13:30

and isnt fessing up

macbentosh (benbergthold@gmail.com)
2018-08-13 23:34:43

what would a send installation request look like in a show tech

macbentosh (benbergthold@gmail.com)
2018-08-13 23:34:43

?

Jason Bayton (jason@bayton.org)
2018-08-13 23:43:46

Couldn't tell you offhand, though if you turn on trace logs, bring up the mifs live logs and do a test push to a device you'll get your answer.

macbentosh (benbergthold@gmail.com)
2018-08-13 23:44:38

I dont have trace

macbentosh (benbergthold@gmail.com)
2018-08-13 23:45:07

nvm lol

Woody (eric.woodland@trust.tc)
2018-08-14 01:38:47

Wait. How did a user go in and send an install request for devices other than their own? Or did they end up with Admin rights?

Woody (eric.woodland@trust.tc)
2018-08-14 01:39:02

🤯

Jeremy (jeremy@bodokh.com)
2018-08-14 04:47:56

@Jeremy has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-14 16:38:16

SATIRICAL POST ALERT...

I feel like this could be a good story... what happened in the end?? Someone screw up??

"Disgruntled former admin installs Grindr to 100,000 employee phone the day he were fired".

🤣 Woody, Mark Vonk
macbentosh (benbergthold@gmail.com)
2018-08-14 17:52:10

Our org is bifurcated with me running the back end and another user deploying devices. didnt read the KB and pushed an app to 2300 phones

macbentosh (benbergthold@gmail.com)
2018-08-14 17:52:25

tell my manager that I did it to sabotage them cause I want their job.

macbentosh (benbergthold@gmail.com)
2018-08-14 17:52:45

logs dont show John doe sent and install request

Woody (eric.woodland@trust.tc)
2018-08-14 19:19:28

Grindr @Simon Hardy-Bistagne. I got a good snicker out of that

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-14 19:27:14

There has to be a way of pulling which account deployed the app... certainly on airwatch it’s logged for audits and troubleshooting...

Woody (eric.woodland@trust.tc)
2018-08-14 19:51:20

Yeah - I’m gonna try to pop into my Core and see what’s there. I know they really put a lot more focus on the auditing in the past several major releases

Mark Vonk (mark.vonk@dahvo.com)
2018-08-14 20:13:47

Yeah the push app notification command should be visible in the audit logs. Also who logged on and performed the command. Not sure what the actual command (name, description) is that MobileIron logs. But you can do the same (one device and I would opt for some other app than Grindr) and check the audit logs to see what is logged. You can view the audit log from the Core admin console, no need for ShowTech logs for that.

macbentosh (benbergthold@gmail.com)
2018-08-14 20:15:49

where are the audit logs

macbentosh (benbergthold@gmail.com)
2018-08-14 20:16:26

it says nothing about the sending of the notification

Woody (eric.woodland@trust.tc)
2018-08-14 20:18:53

Odd, yeah.. I’m not seeing anything regarding “who” initiated the request

macbentosh (benbergthold@gmail.com)
2018-08-14 20:25:08

I need the Fujawa

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-14 20:35:27

Nothing in the specific end device/user logs rather than platform audit?

macbentosh (benbergthold@gmail.com)
2018-08-14 22:38:09

any ideas

macbentosh (benbergthold@gmail.com)
2018-08-14 22:38:19

person blaming me is sr.

aaron (aaron@groundctl.com)
2018-08-14 23:55:55

@Russell Mohr?

Russell Mohr (rmohr@mobileiron.com)
2018-08-15 01:04:32

Let me ask around

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2018-08-15 06:53:45

@Wolfgang Bauer has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2018-08-15 12:22:44

Indeed not seeing any of it either in the audit logs. I would suggest to pull a ShowTech with sanitized database from the Core and raise a case with MobileIron support. Give them a date/time roughly and they should be able to find it.

NicolasR (raison_nicolas@me.com)
2018-08-15 22:01:12

@macbentosh did you updated your core recently? All apps that are marked as “send install request upon registration” are pushed again when upgrading to Core 9.7 or 10.0

macbentosh (benbergthold@gmail.com)
2018-08-15 22:26:48

Did not

macbentosh (benbergthold@gmail.com)
2018-08-15 22:26:59

user pushed it while not following the KB

macbentosh (benbergthold@gmail.com)
2018-08-15 22:34:25

what does send installation request appear as in the logs?

Fabian (mobilxperts@neokortex.de)
2018-08-15 23:03:34

@RobE Doing a key rollover as part of the renewal is kind of best practice - Even if the key stays the same, don't forget about AppTunnel certificate pinning 🙂

👍 RobE
Fabian (mobilxperts@neokortex.de)
2018-08-15 23:08:34

@macbentosh Haven't checked whether you can see the initial "Send Message" command in the audit log. However, if you created a showtech afterwords it contains the https-access.log files for the upfront Apache. This will give you (assuming you can identify the according request URL) the requesters source IP. If you correlate the admin MIFS login events, which definetly are inside the audit log, you can correlate them also to the https-access.log, where you find the source IP. If you and the other guy are not behind an overload NAT, you'll have some evidence who did it and when 🙂

macbentosh (benbergthold@gmail.com)
2018-08-15 23:12:04

looking now.

macbentosh (benbergthold@gmail.com)
2018-08-15 23:12:06

I have their IP

macbentosh (benbergthold@gmail.com)
2018-08-15 23:12:13

and we are behind the same nat

Fabian (mobilxperts@neokortex.de)
2018-08-15 23:12:28

Does the NAT have a log? 🙂

macbentosh (benbergthold@gmail.com)
2018-08-15 23:12:30

I need it to say X pushed __ to all devices

macbentosh (benbergthold@gmail.com)
2018-08-15 23:12:33

yes

macbentosh (benbergthold@gmail.com)
2018-08-15 23:12:37

172.18.48.XX

Fabian (mobilxperts@neokortex.de)
2018-08-15 23:13:09

I mean... something like 1.2.3.4:34777 got NATted to 5.6.7.8:57333

macbentosh (benbergthold@gmail.com)
2018-08-15 23:13:34

im lost

Fabian (mobilxperts@neokortex.de)
2018-08-15 23:13:38

😄

macbentosh (benbergthold@gmail.com)
2018-08-15 23:13:40

is this for core

Fabian (mobilxperts@neokortex.de)
2018-08-15 23:14:02

No, that's referring to the NAT which you might have in between when accessing Core

macbentosh (benbergthold@gmail.com)
2018-08-15 23:14:07

Want to side chat this?

Fabian (mobilxperts@neokortex.de)
2018-08-15 23:14:41

I would probably be more interested in sleeping. It's going towards 1 AM 🙂 But some minutes are ok

Jason Bayton (jason@bayton.org)
2018-08-16 21:01:58

Folks what options do I have for running Core in cloud infra? I don't know of any public images for AWS, Google Cloud or Azure, though I'm speaking to folks who want the features in Core without it being onprem. Suggestions?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-16 21:07:36

Didn't thwy launch the MobileIron cloud solution a while back? Or is my knowledge dodgy there??

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-16 21:07:53

Or do they want self hosted cloud?

Jason (jasonh@bridgeway.co.uk)
2018-08-16 21:08:44

We offer a private cloud version, but other than the old Connected Cloud version, you’ll be struggling, I believe. (Unless they fancy biting the bullet and going full MobileIron Cloud)

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-16 21:09:28

Azure has MobileIron on their marketplace... Not sure just what it includes though.

👍 Jason Bayton
Preetham Guram (spurtipreetham.g@gmail.com)
2018-08-16 21:10:24

I think that’s the connected cloud.

Jason Bayton (jason@bayton.org)
2018-08-16 21:22:09

Core is so much better than Cloud, otherwise that would be an easy push. just need to fathom a way of getting it running somewhere.

Jason (jasonh@bridgeway.co.uk)
2018-08-16 21:30:33

Don’t disagree with any of that. Happy to offer our infra if it helps?

Jason Bayton (jason@bayton.org)
2018-08-16 21:37:40

Thanks for offering! I think if it comes to it could host it in the company DC, but try to avoid that generally. AWS or so would be ideal.

Jason (jasonh@bridgeway.co.uk)
2018-08-16 21:40:59

Depends on connectivity needs too, I guess. Shout if they need N3 (NHS), HSCN (Local govt, NHS), and/or PSN (central and local govt).

Jason (jasonh@bridgeway.co.uk)
2018-08-16 21:41:38

Or ISO27k or Cyber Essentials, of course.

Jason Bayton (jason@bayton.org)
2018-08-16 21:42:32

So far that hasn't been a concern, but I'm sure it's a matter of time..

👍 Jason
Jason Bayton (jason@bayton.org)
2018-08-16 21:42:58

As an aside, Core 10 is not playing nicely with KVM

👎 Jason
Fabian (mobilxperts@neokortex.de)
2018-08-17 09:11:42

Deutsche Telekom has a huge MobileIron private cloud, where you can easily get your own hosted Core + Sentry + Sentry + ..., so you can focus on the application, not caring about operation. They also have plenty certifications, so that shouldn't be an issue. - There also are similary offerings by other carriers and MobileIron partners. Currently MobileIron only supports Sentrys/Connector for deployment in Azure.

Jason Bayton (jason@bayton.org)
2018-08-17 09:13:00

Ah I wasn't aware Azure was public yet.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-17 09:15:35

Yes, Vodafone has something similar hosted out of Germany, however as someone who's looked under that specific skirt, I wouldn't advise ever going for anything hosted by a carrier.

Fabian (mobilxperts@neokortex.de)
2018-08-17 09:16:19

I think Deutsche Telekom is ok, as we do the hosting for them 😉

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-17 09:24:01

🙈

NicolasR (raison_nicolas@me.com)
2018-08-17 17:32:17

We will deploy Core in AWS with the help of professional services for “official support”

👍 Woody, Jason
NicolasR (raison_nicolas@me.com)
2018-08-17 17:33:06

Please raise the problem to MobileIron product team, they don’t want to spend money to support Core in AWS/Azure because they have cloud...

NicolasR (raison_nicolas@me.com)
2018-08-17 17:33:21

If we are many to ask this, they will officially support it

NicolasR (raison_nicolas@me.com)
2018-08-17 17:34:06

My customer’s use case: 20K devices + 20 more if everything goes well

Jason Bayton (jason@bayton.org)
2018-08-17 17:41:53

Oh they should be aware from my side!

Aseleven (lee@aseleven.co.uk)
2018-08-20 11:55:05

@Aseleven has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2018-08-21 21:24:09

What specific Core features are your customers asking for @NicolasR and @Jason Bayton ? I have a customer running Core and Sentry on a vSphere environment hosted by VMWare, so basically IaaS.

Mark Vonk (mark.vonk@dahvo.com)
2018-08-21 21:32:22

And I get the business requirement in that case. But Cloud these days is pretty much on par with Core. Any specifics missing for these customers?

Jason Bayton (jason@bayton.org)
2018-08-21 21:39:55

I’ve gone the KVM route and that opens the doors to many options, so no longer such an issue 🙂 Cloud is less intuitive, has weird restrictions on admin password policies, user expiry, can’t support COPE, many deployments I’ve gone to click some little tickbox for something in Core which isn’t in Cloud, it’s always a pain. I can’t be specific as I don’t keep track, it’s just exhausting. Guys in MI I speak with echo the sentiment but can’t seemingly do much about it.

NicolasR (raison_nicolas@me.com)
2018-08-21 22:10:01
  • in the specific case, the customer have all his “new” IT infrastructure in AWS so they need to host MobileIron there for compliance/security reasons

Cloud is public cloud where you don’t really know what is done on it (who can access the DB, the keys,...) you don’t control versions and QA cycle, you don’t have the same level of logging + SPLUNK integration.

The customer have highly critical business use cases to address

NicolasR (raison_nicolas@me.com)
2018-08-21 22:11:55

And also MI Cloud have MUCH LESS partners that integrate it...

NicolasR (raison_nicolas@me.com)
2018-08-21 22:12:19

(In that case a deployment of Lookout, which is not compatible with Cloud)

AJ (ajorgensen@mobileiron.com)
2018-08-22 11:05:23

@AJ has joined the channel

Jason (jasonh@bridgeway.co.uk)
2018-08-22 11:17:33

And not to mention the ludicrous use of different APIs and even different results from the same type of API calls…

macbentosh (benbergthold@gmail.com)
2018-08-22 20:01:53

hey what is the wildcard for a label?

macbentosh (benbergthold@gmail.com)
2018-08-22 20:01:54

“user.display_name” != “mbl”

macbentosh (benbergthold@gmail.com)
2018-08-22 20:05:25

or the ability to exclude from a label

macbentosh (benbergthold@gmail.com)
2018-08-22 20:38:04

or can i filter by member of an ou?

Mark Vonk (mark.vonk@dahvo.com)
2018-08-22 21:18:49

Exclude can be done by what you have written, something like “user.display_name” != “mbl” Or on device ID, if device is already registered.

macbentosh (benbergthold@gmail.com)
2018-08-22 21:27:56

@Mark Vonk I need an exclude starts with.

macbentosh (benbergthold@gmail.com)
2018-08-22 21:30:43

Also @Mark Vonk looking at your vm post. Tomorrow I have to move my core from an amd to an intel host. Any issues?

macbentosh (benbergthold@gmail.com)
2018-08-22 22:13:01

what is a variable represented as in the MI search

macbentosh (benbergthold@gmail.com)
2018-08-22 22:13:03

?

Mark Vonk (mark.vonk@dahvo.com)
2018-08-23 07:55:37

@macbentosh I am not really understanding your questions regarding the labels. As for VMWare; in principle this should not be an issue. The underlying hardware is of no impact as the Core is seeing virtualized hardware, not the actual hardware.

macbentosh (benbergthold@gmail.com)
2018-08-23 16:13:19

we have shared devices that are part of a service account OU. I want a label that excludes anything that starts with mbl or svc

NicolasR (raison_nicolas@me.com)
2018-08-26 11:11:19

*Thread Reply:* You can use “does not contain” search criteria if you want

macbentosh (benbergthold@gmail.com)
2018-08-28 22:43:22

*Thread Reply:* what filter is OU?

NicolasR (raison_nicolas@me.com)
2018-08-28 23:03:07

*Thread Reply:* Is suggested to do something like: “common.userid” does not contain “svc” I’m not exactly sure about the search criteria but does not contain works

macbentosh (benbergthold@gmail.com)
2018-08-29 17:10:43

*Thread Reply:* there is not does not contain it’s does not =

NicolasR (raison_nicolas@me.com)
2018-08-29 17:59:53

*Thread Reply:* Just write it in the criteria ;-) You’ll see it works!

Matthias Eberle (meberle@mobileiron.com)
2018-08-23 16:29:11

@macbentosh afaik there is no way to define "does not start with" option, but the easy way would be a group inside the OU and add all the users to that group and use the ldap group in the filter: "user.ldap.groups.name" = "Test users"

non recommended option is to list all users that you want to exclude with: "user.userid" != "svctestuser"

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-23 16:34:49

.can you create an exception group base on an ldap custom query based on a wildcard?

Eg a new ldap group based on upn=mbl**

macbentosh (benbergthold@gmail.com)
2018-08-23 17:09:31

yes but I dont want those users.

Mark Vonk (mark.vonk@dahvo.com)
2018-08-23 17:49:28

Indeed, best way is to add to users to a group and then exclude the group

Mark Vonk (mark.vonk@dahvo.com)
2018-08-23 17:50:43

"user.ldap.groups.name" != "GroupName”

Mark Vonk (mark.vonk@dahvo.com)
2018-08-23 17:54:02

Negative operators do have an effect on the performance. So better would be find some ldap attribute that normal users have and the shared device users do not have. And make sure the labels for the configs that the regular users need to get, include the ldap attribute. In that way, the configs are only pushed to the regular users and not the shared device users without using a negative operator in the label query. Best way would be to use groups (most visible and easy to automate) for this. But you can also use ldap attributes and bind these to Custom1, etc.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-08-23 18:35:22

Also don't forget to get any LDAP attributes you sync to be indexed by the ad team as otherwise you could be there a while!

macbentosh (benbergthold@gmail.com)
2018-08-24 17:33:26

how can I target a group of signed out devices and give them a special wallpaper?

Barrie Codona (barrie.codona@hotmail.com)
2018-08-24 22:27:10

On your Core server, navigate to 'Settings > Users & Devices > Custom Attributes', create a new 'Custom Device Attribute' that can be used to group all of your devices in your 'group' - like 'Business Unit'. Next, navigate to 'Devices & Users > Devices', select all of your devices that are part of this group and click on 'Actions > Set Custom Attribute'. Select your new device attribute from the list and set a value for this 'group', for example 'HR'. Now click on your 'Advanced Search' button and create a multiple rule filter. First rule based on the Custom Attribute setting and the second rule based on the 'non-compliance Reason' value of 'User Logged out'. You should then end up with something that looks like: "custom.device.BusinessUnit" = "HR" AND "common.noncompliancereasons" = "LOGGEDOUT" Save this to a label. Lastly, apply this label to your Wallpaper Policy.

👏 Woody
🍺 macbentosh
onires53 (jason.r.serino@gmail.com)
2018-08-25 18:41:02

@here Anyone else having a hell of a time with Core 10 in general? We delayed and waited for Core 10.0.0.2 in hopes that it would fix all the issues with 10 as the release notes indicated but after updating our QA environment it hasn't fixed any of it from our testing. Now we are stuck with iOS devices being unusable in that environment. Luckily we are still on Core 9.6 in prod.

Jason Bayton (jason@bayton.org)
2018-08-25 22:07:03

*Thread Reply:* In my lab things are ticking along ok, though the known issue around connector and ios don't affect me. In prod we run n-1 and most customers aren't even up to 9.7 as yet. Bring on 10.0.1.0..

onires53 (jason.r.serino@gmail.com)
2018-08-26 01:53:07

*Thread Reply:* I'm hoping 10.0.1 does fix the issues we are seeing. The only Android issues we have right now are around the Mobile@Work client reporting all apps on the device be uninstalled and then reinstalled (this causes havoc with required app compliancy rules) and lack of Android 9.0 in-house app support with our 9.6 environment

RobE (robert.kreuzer@outlook.com)
2018-08-26 08:50:53

Anyone familiar with this message for Docs@Work AppConnect? This is the first time I have seen this. Since when are the Google Play services relevant for AppConnect apps?

Jason Bayton (jason@bayton.org)
2018-08-26 08:52:12

Yes, standard affair for distributing in-house apps via Play. However you don't want to be doing that with D@W. There's a Play version already available which also supports managed config

RobE (robert.kreuzer@outlook.com)
2018-08-26 08:58:38

So this is a general message? I agree with you that this makes absolutely no sence and is also not what I am doing. This is D@W ACe for Android "native", so only for Android native devices which makes no sense to deploy that via Google Play. Android Enterprise devices receive D@W from Google Play services like you described.

Jason Bayton (jason@bayton.org)
2018-08-26 09:12:35

General, yes

Mark Vonk (mark.vonk@dahvo.com)
2018-08-27 12:38:49

Anyone here using Core+Sentry to manage devices connecting to Google Apps? If so, do you see an issue with the native iOS mail having duplicate mails in the Sent Items also?

Woody (eric.woodland@trust.tc)
2018-08-27 18:14:28

As-in proxying EAS through a Sentry to GMail @Mark Vonk?

Mark Vonk (mark.vonk@dahvo.com)
2018-08-27 18:25:32

Yes indeed, Sentry is MitM in this case. I doubt it’s the Sentry though. Probably some weird Gmail ActiveSync(-like) issue

Woody (eric.woodland@trust.tc)
2018-08-27 18:54:13

Ah, okay @Mark Vonk. I haven’t gone through that arrangement in forever, but if I had to guess I would say it is something to do with the EAS implementation on GMail’s side

macbentosh (benbergthold@gmail.com)
2018-08-28 21:57:49

Can anyone shoot me a screenshot of their android wifi config for a wpa2 enterprise setup?

macbentosh (benbergthold@gmail.com)
2018-08-28 22:07:16

@Barrie Codona IOU a cool one my dude!

👏 Woody
👍 Barrie Codona
Woody (eric.woodland@trust.tc)
2018-08-29 15:31:27

@Barrie Codona’s response times are insane. Mad kudos to you!

👍 Barrie Codona, RobE
Peuge (peuge.benjamin@gmail.com)
2018-08-29 15:34:03

@Peuge has joined the channel

Peuge (peuge.benjamin@gmail.com)
2018-08-29 15:34:22

@Woody good to see you sir

Woody (eric.woodland@trust.tc)
2018-08-29 15:34:33

Likewise, @Peuge!

Woody (eric.woodland@trust.tc)
2018-09-06 14:31:49

@here anyone know if there are plans for Core to support SAML for device enrollment in the somewhat near future?

Miklos Kerekfy (miklos@kerekfy.hu)
2018-09-06 14:43:29

you mean in-client? you could do workaround by SAML for user portal and PIN-only registration, so user can generate that themselves

Woody (eric.woodland@trust.tc)
2018-09-06 14:45:50

@Miklos Kerekfy I mean, if I browse to core.domain.com/go, enroll a device using SAML with an IdP as we do for the User and Admin Portal.

👍 Miklos Kerekfy
Woody (eric.woodland@trust.tc)
2018-09-06 14:46:41

I appreciate the work-around, but client is interested in the same functionality for enrollment that’s available for the other two portals

Miklos Kerekfy (miklos@kerekfy.hu)
2018-09-06 14:47:33

fair enough request, I had similar from client before (meaning 3 years ago when SAML was introduced at Core)

NicolasR (raison_nicolas@me.com)
2018-09-06 15:13:18

Be careful, I saw that with AW. SAML enrollment doesn't work with DEP

Woody (eric.woodland@trust.tc)
2018-09-07 01:59:10

Good call @NicolasR!

Kiran Patel (kiran@kiranpatel.net)
2018-09-07 14:52:00

Have you guys seen this doc MI just published? I reached out to support and didn't get much info

Mark Vonk (mark.vonk@dahvo.com)
2018-09-07 14:58:34

I have seen the message and already asked for more clarification.

macbentosh (benbergthold@gmail.com)
2018-09-07 16:54:14

where is the option for iOS update deferment in MI Core?

Barrie Codona (barrie.codona@hotmail.com)
2018-09-07 17:37:55

*Thread Reply:* This is within the iOS Restriction Configuration.

macbentosh (benbergthold@gmail.com)
2018-09-07 17:55:14

*Thread Reply:* what version of core are you on?

Barrie Codona (barrie.codona@hotmail.com)
2018-09-07 18:14:19

*Thread Reply:* This screenshot is from Core 10.0.0.2

macbentosh (benbergthold@gmail.com)
2018-09-07 17:56:48

any issues going to 10.0.0.2?

Woody (eric.woodland@trust.tc)
2018-09-07 18:24:38

*Thread Reply:* @macbentosh time to find out. Taking a snap and upgrading

Jason Bayton (jason@bayton.org)
2018-09-08 19:53:03

*Thread Reply:* I’m on 10.0.0.2 with no issue, though 100% Android Enterprise and no LDAP so.. I really probably shouldn’t even add a voice tbh 😄

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2018-09-12 15:54:37

*Thread Reply:* Take in mind the die adminportal can only can be used by using the FQDN in Core 10 (not ip oder another dns record). Beside that, its a 70/30 thing. Most times it runs smooth. On other installations nothing works after update (Core does not boot, DEP broken,...)

👍 Woody
Woody (eric.woodland@trust.tc)
2018-09-12 20:43:27

*Thread Reply:* Good insights @Wolfgang Bauer

Mark Vonk (mark.vonk@dahvo.com)
2018-09-08 05:49:28

But be careful to use the snapshot: if you have issues with iOS devices checking in, do not use the snapshot: it will break even more stuff. There are numerous issues I have seen. Typically I would advise to wait for 10.1 or so currently.

👍 Woody, fridomac
macbentosh (benbergthold@gmail.com)
2018-09-11 18:16:04

docs@Work config is pending and user is getting a retired: User logged out error… Ideas?

Kiran Patel (kiran@kiranpatel.net)
2018-09-11 18:52:18

Anyone know what the runmonitorscr on an MI Sentry is? we had some UCS issues this morning and our Sentry's are running really hot on CPU

Kiran Patel (kiran@kiranpatel.net)
2018-09-11 18:53:34

Figured I'd ask here real quick before waiting for support

Woody (eric.woodland@trust.tc)
2018-09-11 19:03:52

Sorry @Kiran Patel, haven’t come up across that process

Woody (eric.woodland@trust.tc)
2018-09-11 19:04:02

Anything back from Support?

Kiran Patel (kiran@kiranpatel.net)
2018-09-11 19:05:46

jsut finished opening up the case and now calling them

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2018-09-11 22:07:44

turned out to be a cleanup script that couldn't run as the file system was in RO mode due to VM issues

👍 Woody
Woody (eric.woodland@trust.tc)
2018-09-12 19:51:09

*Thread Reply:* Thx for the update @Kiran Patel. So, technically not related to Sentry itself… but the VM environment that it lives in. Right?

Kiran Patel (kiran@kiranpatel.net)
2018-09-12 19:52:33

*Thread Reply:* yup but technically if the VM appliance puts itself into RO mode a script running on it shouldn't be able to consume all resources

Woody (eric.woodland@trust.tc)
2018-09-12 19:52:47

*Thread Reply:* True

Woody (eric.woodland@trust.tc)
2018-09-12 19:52:54

*Thread Reply:* Should be a pre-flight check on the script side

Makmuri (katarina.makmuri@gmail.com)
2018-09-12 01:59:28

@Makmuri has joined the channel

Jason Bayton (jason@bayton.org)
2018-09-12 13:30:41

Guys are any of you running Core 10.0.0.2 + with AE work-managed devices? If so, are you seeing location reported against those devices?

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-09-12 15:49:16

Known issue with Core 10.x and DEP registration on iOS : https://community.mobileiron.com/docs/DOC-8402

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-09-12 15:50:42

@Jason Bayton Not tried yet, but I would not hesitate to let you know once we have tested the use case.

Jason Bayton (jason@bayton.org)
2018-09-12 15:58:53

Thanks Alex.

RobE (robert.kreuzer@outlook.com)
2018-09-13 05:08:24

Not yet @Jason Bayton but I will be looking for it and let you know

Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 12:24:40

@Jason Bayton no issue here with Core 10.0.0.2 and a work managed device. Location is correct

Jason Bayton (jason@bayton.org)
2018-09-13 12:50:28

Hmm. Replicated on 3 Cores so far @Mark Vonk. Gives me the 72 hours error and that's all she wrote. GPS if available is set and GPS isn't restricted

Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 12:52:36

Weird... I just registered the device and was able to locate it. Were your devices already registered?

Jason Bayton (jason@bayton.org)
2018-09-13 12:54:25

Yes

Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 12:59:47

Ok, let me check something else

Jason Bayton (jason@bayton.org)
2018-09-13 13:02:38

Registered on 0.2 or before. Noticed it on 0.2 and will try to replicate on 0.3 in a bit

Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 13:07:38

Sorry, .... Someone got his Android Enterprise terminology confused... Just enrolled a Work Managed Android Enterprise device. I can't locate it now either.

Jason Bayton (jason@bayton.org)
2018-09-13 13:36:48

Ah good

Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 13:38:50

Not good 🙂 Have you noticed it on other MDM or previous Core versions?

Jason Bayton (jason@bayton.org)
2018-09-13 16:40:08

Good that I’m not actively misconfiguring servers. I’ve only seen it from 10.0.0.2 but wasn’t really checking before

Jason Bayton (jason@bayton.org)
2018-09-13 16:51:46

Re-enrolled a pixel in 10.0.0.3 and it’s reporting… hmm

Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 19:11:08

Updated to 10.0.0.3 and with or without a re-enroll, still not working for me.

🤔 Woody
Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 19:59:23

Enrolled again, work managed with a work profile, still the same issue. Enabled location (even using WiFi, etc). No lockdown policies in effect. Same device, but then BYOD with a work profile, reports location just fine.

Mark Vonk (mark.vonk@dahvo.com)
2018-09-13 19:59:53

Drained the battery, so time to retire this testing for now.

Jason Bayton (jason@bayton.org)
2018-09-14 09:48:23

This is bizarre

Jason Bayton (jason@bayton.org)
2018-09-14 09:48:51

Thanks for testing Mark. I’ve enrolled three more devices and only the Pixel is reporting

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-09-14 09:57:54

Sounds like the ideal time to standardise on the pixel across the board then...

Mark Vonk (mark.vonk@dahvo.com)
2018-09-14 11:38:07

Weird stuff. Not sure if it's MobileIron, AE, or a device specific issue now... Have had some notable other issues with AE on Samsung devices, so I would not rule that out as a source of issues.

NicolasR (raison_nicolas@me.com)
2018-09-14 16:35:12

Anyone worked with Zebra ET50 or ET55 devices with MobileIron ?

NicolasR (raison_nicolas@me.com)
2018-09-14 16:35:21

preferably with Android Enterprise 🙂

macbentosh (benbergthold@gmail.com)
2018-09-17 15:12:21

what version of core allows me to defer the iOS update?

aaron (aaron@groundctl.com)
2018-09-17 15:22:19
macbentosh (benbergthold@gmail.com)
2018-09-17 15:23:51

I would like to have the native option in core

aaron (aaron@groundctl.com)
2018-09-17 15:24:36

Of course. But then Core would simply send the same profile.

macbentosh (benbergthold@gmail.com)
2018-09-17 15:35:18

how would that conflict with the restrictions policy I have going to those devices now? What takes lead?

macbentosh (benbergthold@gmail.com)
2018-09-17 15:37:07

what I’m wondering is if i can get what I need by going to 9.7.0.2 vs 10

aaron (aaron@groundctl.com)
2018-09-17 15:51:21

Whatever is more restrictive wins. 90 days beats 60.

macbentosh (benbergthold@gmail.com)
2018-09-17 15:51:47

I was talking about other settings i.e. facetime

aaron (aaron@groundctl.com)
2018-09-17 16:03:53

The profile above will not affect any other setting.

Barrie Codona (barrie.codona@hotmail.com)
2018-09-17 16:05:37

@macbentosh The native option is in Core 10.

macbentosh (benbergthold@gmail.com)
2018-09-17 16:07:46

@Barrie Codona what issues am I looking at in 10.0.0.3

macbentosh (benbergthold@gmail.com)
2018-09-17 16:10:24

2200+ iOS devices

macbentosh (benbergthold@gmail.com)
2018-09-17 16:10:26

all dep

macbentosh (benbergthold@gmail.com)
2018-09-17 16:10:34

30ish android

Barrie Codona (barrie.codona@hotmail.com)
2018-09-17 16:11:24

It would really depend on what features you are using. The best place to start reading is here: https://community.mobileiron.com/community/micore/known-issues

I'd also advise reading the Release Notes for this version of Core: https://community.mobileiron.com/docs/DOC-8463

Also, since you are not already on Core 10, then prior to upgrading to Core 10, follow the steps outlined in this guide: https://community.mobileiron.com/docs/DOC-7886

macbentosh (benbergthold@gmail.com)
2018-09-17 16:14:22

How could you test this Procedure Please ensure that prior to upgrading, the following outbound TCP ports are open and the hosts are reachable: Host Port api.push.apple.com 443 feedback.push.apple.com* 2196 *Carryover from APNSv1

Barrie Codona (barrie.codona@hotmail.com)
2018-09-17 16:28:40

This will be an outbound firewall rule that need to be updated on your perimeter firewall. You will be able to test it using the built in services diagnostic check in the Core server. Navigate to 'Services> Overview' and click on the 'Verify' button to the right of the APNS service. You could also try testing this from the CLI of the Core server using the telnet command:

telnet api.push.apple.com 443

macbentosh (benbergthold@gmail.com)
2018-09-17 16:29:02

I did that and connected

Barrie Codona (barrie.codona@hotmail.com)
2018-09-17 16:29:37

Excellent. Take a backup of your Core server and then upgrade!

macbentosh (benbergthold@gmail.com)
2018-09-17 16:29:55

snapshot or db backup?

Barrie Codona (barrie.codona@hotmail.com)
2018-09-17 16:34:26

I would export a local backup via the System Manager.

macbentosh (benbergthold@gmail.com)
2018-09-17 16:38:23
macbentosh (benbergthold@gmail.com)
2018-09-17 17:20:45

Seeing a few of these emails.

macbentosh (benbergthold@gmail.com)
2018-09-17 17:20:50

WARNING::+15592 (mbl_CRMC8WSup) iOS device MDM deactivated

Barrie Codona (barrie.codona@hotmail.com)
2018-09-17 17:29:45

Are your devices checking-in to your Core server?

macbentosh (benbergthold@gmail.com)
2018-09-18 16:12:26

yes

RobE (robert.kreuzer@outlook.com)
2018-09-22 11:19:44

How to you guys deal with domain name changes for Core and Sentry. Still fresh installs?

Jason Bayton (jason@bayton.org)
2018-09-22 11:22:57

I rebuilt mine yep, the CAs retain the URL of the old name

RobE (robert.kreuzer@outlook.com)
2018-09-22 12:21:13

..and the enrolled devices? Core system backup won‘t help due to the old CAs, right? I am thinking there is no migration of the devices possible

Jason Bayton (jason@bayton.org)
2018-09-22 12:22:10

Indeed. I'm sure there's a means for fixing it via DB or so but I don't know what it is. @Mark Vonk / @Jason

👍 RobE
Mark Vonk (mark.vonk@dahvo.com)
2018-09-22 13:23:00

There probably is a solution... tried it once for a test but gave up fixing it. There is no help from Mobileiron. Had to dig through the DB and fix the domain name, but also many properties files, etc. in the end, while it seemed all ok, I gave up as I could not get the devices to check in.

Mark Vonk (mark.vonk@dahvo.com)
2018-09-22 13:24:23

If not needed do not change the domain name for the Core. If needed, just build a new one. Best advice I can give...

👍 Jason Bayton, onires53, RobE
Jason Bayton (jason@bayton.org)
2018-09-22 13:26:58

Seems fair, I can rebuild because it's my lab. A second core and migration sounds reasonable where it matters

Preetham Guram (spurtipreetham.g@gmail.com)
2018-09-22 20:42:36

Why not build the second server put it in HA and perform the sync?

Jason Bayton (jason@bayton.org)
2018-09-22 20:43:50

CAs would be synced over also would they not?

RobE (robert.kreuzer@outlook.com)
2018-09-24 08:26:21

I agree with Jason.

Mark Vonk (mark.vonk@dahvo.com)
2018-09-24 08:28:08

Indeed, does not solve the issue with the CAs. Basically HA will copy all the important stuff from the Primary to the Secondary. It does not change anything with regard to domain name changes.

👍 RobE
macbentosh (benbergthold@gmail.com)
2018-09-24 21:56:49

When a DEP enrolled device restores a backup how do you tell what device to retire?

Amine (amine.ayad@gmail.com)
2018-09-25 10:32:05

The one with the oldest check-in?

Jason Bayton (jason@bayton.org)
2018-09-25 11:06:15
Amine (amine.ayad@gmail.com)
2018-09-25 14:00:05

Hahaha

macbentosh (benbergthold@gmail.com)
2018-09-27 22:45:57

All newly enrolled devices are not getting an Activation Lock Bypass Code

Mark Vonk (mark.vonk@dahvo.com)
2018-09-28 08:02:05

Known issue to be fixed in Core 10.1

👍 Woody, Preetham Guram
RobE (robert.kreuzer@outlook.com)
2018-09-29 16:21:14

Pretty sure this question was dropped before: Exchange Online: deployment with or without Standalone Sentry? (Core On-Premise) If yes, why not deploy Sentry in Azure or AWS?

Mark Vonk (mark.vonk@dahvo.com)
2018-09-29 17:34:32

Assuming it needs to be secure: with a standalone Sentry. Either the current, if exists, or a new one. Does not really make a difference where it is running, on-premises or in the cloud. If it’s Core, I assume a Sentry on-premises is not an issue.

Mark Vonk (mark.vonk@dahvo.com)
2018-09-29 17:37:36

Otherwise an integrated Sentry? Work also with Exchange online.

Mark Vonk (mark.vonk@dahvo.com)
2018-09-29 17:39:47

Alternative is no Sentry and do CBA for Exchange Online.

NicolasR (raison_nicolas@me.com)
2018-09-30 13:33:09

Did someone tested the following: Deploying MI Access with iOS 12 OAuth Exchange Online profile?

NicolasR (raison_nicolas@me.com)
2018-09-30 13:33:13

does it work?

Woody (eric.woodland@trust.tc)
2018-10-01 18:08:49

Exchange Online as-in O365? Or is that still somewhat of a separate hosted service?

NicolasR (raison_nicolas@me.com)
2018-10-01 18:47:26

Exchange online = Office365 mail access yep

RobE (robert.kreuzer@outlook.com)
2018-10-02 12:44:13

Are there any limitations for Zebra devices? Zebras seems to have problems with Wifi config deployments (cert based auth). Currently DA enrolment. Wifi config is partially applied - and also: is there no PlayStore on Zebra devices? Looks like they have been shipped without Google Services installed.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-10-02 16:49:16

Can't speak for mobile iron but there is a specific Airwatch client for zebra devices you manually install outside of the Google play store.

RobE (robert.kreuzer@outlook.com)
2018-10-02 17:07:51

Thanks Simon. Ah ok, I can recall that I have read about something similar for Zebra devices on the MI community. Let’s have a look again..

RobE (robert.kreuzer@outlook.com)
2018-10-02 17:14:55

So StageNow is the magic word? https://community.mobileiron.com/docs/DOC-5328

NicolasR (raison_nicolas@me.com)
2018-10-02 19:50:16

:zebra_face: zebra devices are shipped with or without Google Mobile Services! You need to ask zebra to provide the right Firmware

RobE (robert.kreuzer@outlook.com)
2018-10-03 09:23:14

Thanks @NicolasR .

RobE (robert.kreuzer@outlook.com)
2018-10-05 10:31:43

Guys I am looking for a setting within MobileIron, but can‘t find it. We had an issue where Core was not reachable. For ActiveSync devices which have not been registered we found this entry in the Sentry log: „Since EMM server is not reachable - applying DEFAULT update for device xxxxxx“ - followed by „Applying default policy ALLOW for device xxxx“ - result was unregistered devices are able to sync mails. Where is that setting? Auto Block Unregistered Devices is turned on within the Core Admin Portal, so that is not that one referenced in the log

Preetham Guram (spurtipreetham.g@gmail.com)
2018-10-05 10:57:25

Services > Sentry > Preferences

Preetham Guram (spurtipreetham.g@gmail.com)
2018-10-05 10:57:47
Preetham Guram (spurtipreetham.g@gmail.com)
2018-10-05 10:58:02

@RobE

RobE (robert.kreuzer@outlook.com)
2018-10-05 11:50:04

Thanks Spurti, I am familiar with this. But which setting do you refer to?

RobE (robert.kreuzer@outlook.com)
2018-10-05 11:54:50

I believe when Core is down and Sentry can‘t talk to Core the DEFAULT actions is ALLOW. But where can this be changed? It is not the auto block option you refer to

Preetham Guram (spurtipreetham.g@gmail.com)
2018-10-05 13:56:24

*Thread Reply:* My bad, It can be changed. I do see that you got your response 😊

👍 RobE
RobE (robert.kreuzer@outlook.com)
2018-10-05 11:57:40
RobE (robert.kreuzer@outlook.com)
2018-10-05 12:03:58

It looks like this behavior cannot be changed! 😊👍:skintone2:

Barrie Codona (barrie.codona@hotmail.com)
2018-10-05 12:11:46

@RobE Try in the Sentry itself....

Barrie Codona (barrie.codona@hotmail.com)
2018-10-05 12:11:51
👍 Mark Vonk, Preetham Guram, RobE
RobE (robert.kreuzer@outlook.com)
2018-10-05 13:49:44

Son of a mother, there she is! Saved my day @Barrie Codona. thanks! 🙏

👍 Woody, Barrie Codona
RobE (robert.kreuzer@outlook.com)
2018-10-05 13:50:52

How could I miss that! 🙈

Woody (eric.woodland@trust.tc)
2018-10-05 15:57:53

Forgot about that option - Good one @Barrie Codona

👍 Barrie Codona, RobE
RobE (robert.kreuzer@outlook.com)
2018-10-05 20:06:57

Got another one: Inhouse app for iOS version 1.0 silent deployed via Core and installed on the devices. Version 1.1 uploaded into the AppCatalog, applied to the same label as Version 1.0 for silent deployment. That doesn’t work - app remains version 1.0. Does the update only work when its not deployed for silent installation?

NicolasR (raison_nicolas@me.com)
2018-10-05 20:17:00

Are both CFBundleVersion and CFBundleShortVersion updated to 1.1 or increased?

😎 SebastienP, Preetham Guram, RobE
RobE (robert.kreuzer@outlook.com)
2018-10-06 05:31:26

Yes they have been increased!

Tinus (freewheelzgroningen@gmail.com)
2018-10-09 12:12:41

@Tinus has joined the channel

Herman (herman@thijssens.nl)
2018-10-09 12:17:42

@Herman has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-10-09 17:27:56

Hey guys, migration of Core - enable HA feature for syncing everything to the new Core and then use the new Core as primary, and finally disable HA feature? Any known issues I might run into?

Mark Vonk (mark.vonk@dahvo.com)
2018-10-09 19:03:56

No should work like a charm

Jason Bayton (jason@bayton.org)
2018-10-09 19:08:31

How would that compare in time & effort vs taking a backup and restoring to a fresh core without system settings?

👍 RobE
Mark Vonk (mark.vonk@dahvo.com)
2018-10-09 19:28:23

A little more time as you have to enable HA. But the HA sync is almost the same as a backup/restore

Barrie Codona (barrie.codona@hotmail.com)
2018-10-09 19:58:23

You would also need to engage with a qualified MI Partner or Professional Services to enable HA on both Core servers. Might be easier to use Jason's suggestion.

Mark Vonk (mark.vonk@dahvo.com)
2018-10-09 20:10:16

Both are viable options. Used both before and work fine. Some details are listed here: https://community.mobileiron.com/docs/DOC-2179. For customers using HA already, the HA route might be best. For others, simple backup/restore is probably easier

👍 RobE
Carlos Martin (cmartin@qolcom.co.uk)
2018-10-10 09:18:49

@Carlos Martin has joined the channel

Martijn (mvandijk@mobileiron.com)
2018-10-10 10:38:43

@Martijn has joined the channel

TedStryker (supacatsf@gmail.com)
2018-10-10 11:58:43

@TedStryker has joined the channel

rayleidle (ray.leidle@gmail.com)
2018-10-10 16:29:40

@rayleidle has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-10-11 07:46:53

anyone experiencing this: https://community.mobileiron.com/docs/DOC-8392 getting this on a regular basis, only using SCEP for Core local CA

NicolasR (raison_nicolas@me.com)
2018-10-11 18:41:49

Yes with OpenTrust CA

RobE (robert.kreuzer@outlook.com)
2018-10-11 18:49:27

How do you mean?

macbentosh (benbergthold@gmail.com)
2018-10-12 22:19:23

anyone here today

macbentosh (benbergthold@gmail.com)
2018-10-12 22:19:53

really weird issue. Iported and app and it shows in the core catalog and it scoped to a user label but does not show on the devices

Jason Bayton (jason@bayton.org)
2018-10-13 19:36:20

Android or iOS?

macbentosh (benbergthold@gmail.com)
2018-10-15 16:07:01

iOS

NicolasR (raison_nicolas@me.com)
2018-10-15 22:58:30

Maybe the apps are « iPad only » apps or the minimum required version is not meet

👍 Woody
Woody (eric.woodland@trust.tc)
2018-10-16 14:40:54

I concur w/ @NicolasR - If it’s not being presented, there’s something at a higher level preventing it.

macbentosh (benbergthold@gmail.com)
2018-10-16 16:25:52

its ios and ipad

macbentosh (benbergthold@gmail.com)
2018-10-16 16:26:02

just doesnt show and does not push

macbentosh (benbergthold@gmail.com)
2018-10-16 16:27:09

and were in the middle of contract renewal so support line hangs up on me

Woody (eric.woodland@trust.tc)
2018-10-16 16:49:00

So, it doesn’t even make it to a point of queueing to deliver to the device (in the MDM logs). Right?

Woody (eric.woodland@trust.tc)
2018-10-16 16:51:38

Device/App are bound to the label in question. Yeah?

macbentosh (benbergthold@gmail.com)
2018-10-16 16:51:53

it does not and yes

Woody (eric.woodland@trust.tc)
2018-10-16 17:07:32

Fresh app or an update to an existing one?

RobE (robert.kreuzer@outlook.com)
2018-10-16 18:46:20
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2018-10-17 10:34:06

Hello,

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2018-10-17 10:35:49

has anybody experiences with Work Schedule policy? does it work? this there something to mention since the device is out of compliance in that time? How does it work if the device is in another timezone than the configured one?

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-10-17 12:38:38

Hi Wolfgang, never tried it. I guess that the timezone is relevant to the Sentry/Core NTP settings - so you might have to manage different policies based on the user timezone and check the delta with the server's timezone!

Jason Bayton (jason@bayton.org)
2018-10-18 13:49:02

Does anyone use MI cloud? Is is disastrously slow in pushing down configs and apps for you too?

Mark Vonk (mark.vonk@dahvo.com)
2018-10-18 14:03:06

eu1?

Mark Vonk (mark.vonk@dahvo.com)
2018-10-18 14:04:51

Noticed nothing so far on EU1, to be honest.

Jason Bayton (jason@bayton.org)
2018-10-18 14:10:37

yes eu1. initial enrolments for ae devices seem to go ok, but after a wipe and re-enrol it’s taking +20 minutes to get the managed google play account provisioned on the device. A further 10 for passcode config.. still no apps pushed an hour later

macbentosh (benbergthold@gmail.com)
2018-10-18 16:05:35

hey all I see a way to set Default Device Name Configuration in cloud. Has that made it to core?

Jason Bayton (jason@bayton.org)
2018-10-18 16:46:48

@Mark Vonk known issue in cloud apparently. MI are manually deleting the offending left-over device IDs that are clashing with the re-enrol from the DB. Messy.

NicolasR (raison_nicolas@me.com)
2018-10-18 18:18:39

I had similar issues with MI CLOUD few weeks ago. The issue seams to be more on the link between MI & Google.

Jason Bayton (jason@bayton.org)
2018-10-18 18:21:43

Won't be fixed today. They clarified they can't edit the dB on cloud so I'm waiting for their solution 🙄

Kiran Patel (kiran@kiranpatel.net)
2018-10-18 22:55:46

Is there a good site to find Microsoft iOS App plist files pre-built or do we need to build these manually?

👍 RobE, Wolfgang Bauer
NicolasR (raison_nicolas@me.com)
2018-10-25 10:17:57

Hi @here anyone have configured Google API connection with CORE/CLOUD?

NicolasR (raison_nicolas@me.com)
2018-10-25 10:18:16

the question is: Is it possible to import users Google identity?

NicolasR (raison_nicolas@me.com)
2018-10-25 10:18:38

If I have a user located ONLY in Google G-suite and NOT in Active Directory?

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-10-25 13:04:18

Hi Nicolas, as far as I know this Google API connection for identity is used to set the Google Password (we are using this OnPrem for a large customer)

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-10-25 13:04:59

(in this case the users don't know their google Password, only MobileIron does it. I don't know if there is some other usage of this APIs...

NicolasR (raison_nicolas@me.com)
2018-10-25 13:34:14

That is what I have in mind yes

NicolasR (raison_nicolas@me.com)
2018-10-25 13:34:28

but I wonder if CORE/CLOUD can import user identity based on that

NicolasR (raison_nicolas@me.com)
2018-10-25 13:34:49

On Cloud there is an option that doens't manage user password from MI CLOUD

NicolasR (raison_nicolas@me.com)
2018-10-25 13:34:57

not sure if the option is available on CORE

Mark Vonk (mark.vonk@dahvo.com)
2018-10-25 13:47:53

I do not think so, for Core.

Clark (76clark@gmail.com)
2018-10-26 00:56:34

@Clark has joined the channel

Erik Baier (erik.baier@nomasis.ch)
2018-10-26 08:34:29

@Erik Baier has joined the channel

Daniël Kraaijeveld (daniel.kraaijeveld@twentynice.com)
2018-11-03 09:35:59

@Daniël Kraaijeveld has joined the channel

Erica Mixon (emixon@techtarget.com)
2018-11-07 16:51:57

@Erica Mixon has joined the channel

NicolasR (raison_nicolas@me.com)
2018-11-08 13:05:48

Hi guys, a customer ask me if MI could manage standalone (meaning not connected to smartphone) wearOS devices

NicolasR (raison_nicolas@me.com)
2018-11-08 13:05:54

any idea?

Clark (76clark@gmail.com)
2018-11-08 13:26:31

At this time MI can not manage standalone wearables.

NicolasR (raison_nicolas@me.com)
2018-11-08 13:34:44

do you know if at least Google allows this in WearOS?

Clark (76clark@gmail.com)
2018-11-08 13:35:20

I am not sure if Google has opened these API's for EMM control

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-08 13:35:44

I’m not aware of a wearos device being able to operate stand alone but I could be wrong

Jason Bayton (jason@bayton.org)
2018-11-08 15:10:47

They can run standalone to a degree with a network connection but can't be managed

NicolasR (raison_nicolas@me.com)
2018-11-08 16:58:50

On a standalone mode are you able to connect a G-Suite account on them?

NicolasR (raison_nicolas@me.com)
2018-11-08 16:59:05

Or do you need a smartphone to configure this?

Jason Bayton (jason@bayton.org)
2018-11-08 19:34:59

Smartphone for initial config

NicolasR (raison_nicolas@me.com)
2018-11-08 20:34:32

Great! thanks 🙂

Martin (martin.blattmann@nomasis.ch)
2018-11-09 19:18:27

@Martin has joined the channel

Andrew Olpin (andy@olpin.us)
2018-11-10 01:11:17

@Andrew Olpin has joined the channel

Karthic (karthicbe@gmail.com)
2018-11-10 03:59:15

@Karthic has joined the channel

mahiroux (mhyb.mk@gmail.com)
2018-11-10 04:20:35

@mahiroux has joined the channel

Phil Hackett (phil.hackett83@gmail.com)
2018-11-10 06:18:29

@Phil Hackett has joined the channel

Bart T. (bart.thomas@proximus.com)
2018-11-10 21:27:58

@Bart T. has joined the channel

Victor Cruz (victor@cruzcid.com)
2018-11-11 21:21:07

@Victor Cruz has joined the channel

BenReynish (reynish@ntlworld.com)
2018-11-11 22:16:10

@BenReynish has joined the channel

Captain Web (tristan.valente@amaris.com)
2018-11-12 15:43:11

@Captain Web has joined the channel

macbentosh (benbergthold@gmail.com)
2018-11-12 17:56:41

HI all need a label if anyone can assist. I would like a label that is all users after registered after todays date.

macbentosh (benbergthold@gmail.com)
2018-11-12 18:04:11

will this keep adding?

macbentosh (benbergthold@gmail.com)
2018-11-12 18:04:12

“common.creation_date” >= “now-1d” AND “ios.IsDEPEnrolledDevice” = true

Clark (76clark@gmail.com)
2018-11-12 18:37:34

@macbentosh are all devices you want to key off of DEP enabled devices? And to be clear, you want the label to collect devices that where registered the day before?

macbentosh (benbergthold@gmail.com)
2018-11-12 18:38:28

we are rolling out a wifi change. I want a label with all devices registered after todays date and going forward.

macbentosh (benbergthold@gmail.com)
2018-11-12 18:38:33

I can add the dep part

Clark (76clark@gmail.com)
2018-11-12 18:50:08

seems that we can not add a specific date for it to follow. With what you have listed for this bit: "common.creationdate" >= "now-1d" will over devices that have been registered in one day or less and on the second day would be dropped off. Using: "common.creationdate" <= "now-1d" will cover devices that have been enrolled for at least one full day. Does not appear that either will meet your use case

macbentosh (benbergthold@gmail.com)
2018-11-12 18:51:06

hmmm

Jason Bayton (jason@bayton.org)
2018-11-12 18:51:48

I'll have a lookie later if it's unanswered 👍

macbentosh (benbergthold@gmail.com)
2018-11-12 18:52:46

lol @Jason Bayton first thoughts?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-12 18:55:56

I'd personally do it the other way round.

Tag the existing devices manually, assign the old wifi profile to that tag, and then exclude that tag from the new profile applying it to all devices.

👍 Woody, NicolasR
macbentosh (benbergthold@gmail.com)
2018-11-12 19:01:41

like a custom attrib?

Jason Bayton (jason@bayton.org)
2018-11-12 19:16:03

The AW equivalent to that yep. Tbh my first thought is stick new users in an additional AD group and base it off that.. but I'll see what I can do with date.

macbentosh (benbergthold@gmail.com)
2018-11-12 19:17:20

I could apply a custom attrib to all just not sure how that will play in to the performance of core. Any probs dping that to 2500 devices?

Jason Bayton (jason@bayton.org)
2018-11-12 19:17:40

Shouldn't be, it's just a ballache

😆 Woody
JP Guldfeldt (jpguldfeldt@hotmail.com)
2018-11-12 19:20:16

@JP Guldfeldt has joined the channel

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-12 19:20:32

Not sure if it can be done easily in mobileiron, but it's something I'd script in airwatch via API as you can't select multiple devces and add to a manual tag, you have to do it one by one.

It would be my prefered way as it's a fire and forget way rather than continually maintaining it.

The old devices should lose the tag as and when they're retired or reactivated making the tag obsolete after a while.

macbentosh (benbergthold@gmail.com)
2018-11-12 20:19:44

so survey then….Add to manual label or custom attrib.

Jason Bayton (jason@bayton.org)
2018-11-12 20:23:14

Neither?

macbentosh (benbergthold@gmail.com)
2018-11-12 20:33:21

@Jason Bayton This is a 5 min thing in JAMF for me… What were you thinking

Jason Bayton (jason@bayton.org)
2018-11-12 20:34:20

Wrote it above! I'll be on my laptop within the hour

macbentosh (benbergthold@gmail.com)
2018-11-12 20:35:17

the users that setup our devices dont have ldap access

🙄 Jason Bayton
Jason Bayton (jason@bayton.org)
2018-11-12 20:44:35

That'll keep you busy then! 😋

macbentosh (benbergthold@gmail.com)
2018-11-12 20:50:18

well I could do a custom attrib for Old wifi = true then create a label for old wifi !=true

macbentosh (benbergthold@gmail.com)
2018-11-12 20:50:20

right

Jason Bayton (jason@bayton.org)
2018-11-12 20:53:15

Yeah but unless you use assemble it's a very manual process

macbentosh (benbergthold@gmail.com)
2018-11-12 20:54:17

just 12 pages of select all and assign to attrib right?

Jason Bayton (jason@bayton.org)
2018-11-12 21:07:49

Yes. 12 pages 😂

macbentosh (benbergthold@gmail.com)
2018-11-12 21:18:24

lol

macbentosh (benbergthold@gmail.com)
2018-11-12 21:18:27

working on it

macbentosh (benbergthold@gmail.com)
2018-11-12 21:19:56

going with this

macbentosh (benbergthold@gmail.com)
2018-11-12 21:19:57

(“custom.device.AutoCMCPROD” != 1) AND “common.retired” = false

Andrew Olpin (andy@olpin.us)
2018-11-12 21:34:59

There has to be a way to specify a date by modifying the advanced search, but the date format is probably wonky

macbentosh (benbergthold@gmail.com)
2018-11-12 21:44:15

its really odd the label posted shows only 8 devices but added to a config it add 500+

macbentosh (benbergthold@gmail.com)
2018-11-12 21:55:30

looks like it has to be this way

macbentosh (benbergthold@gmail.com)
2018-11-12 21:55:31

“custom.device.AutoCMCPROD” = null

Jason Bayton (jason@bayton.org)
2018-11-12 22:04:22

Why doesn’t the former work for you? That should select all devices where AutoCMCPROD isn’t 1

macbentosh (benbergthold@gmail.com)
2018-11-12 22:23:05

it does in the label view however when applied to a config or a policy it adds 500+ devices

macbentosh (benbergthold@gmail.com)
2018-11-12 22:59:45

(“custom.device.AutoCMCPROD” = null) AND “ios.IsDEPDevice” = true AND “common.retired” = false

JF Rigot (jr@mob.co)
2018-11-13 16:34:30

@JF Rigot has joined the channel

Karim (karim.trivier@codalis.ch)
2018-11-13 17:37:57

@Karim has joined the channel

Ray (raymond.wright@gov.scot)
2018-11-13 17:46:24

@Ray has joined the channel

macbentosh (benbergthold@gmail.com)
2018-11-13 20:40:44

anyone ever enrolled an android projector?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-13 20:48:24

*Thread Reply:* No but do let me know how you get on!!

What projector are you playing with? Not just a case of side loading the agent?

Woody (eric.woodland@trust.tc)
2018-11-13 20:51:15

*Thread Reply:* Wait. Android Projector? Interesting!

RobE (robert.kreuzer@outlook.com)
2018-11-13 21:01:46

*Thread Reply:* Interesting

macbentosh (benbergthold@gmail.com)
2018-11-13 21:12:25

*Thread Reply:* Anker nebula

Woody (eric.woodland@trust.tc)
2018-11-13 21:13:49

*Thread Reply:* That’s awesome. I never really figured that would be a market we’d see Android on. There is that open source project though, so I guess it was bound to happen eventually!

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-13 21:14:22

*Thread Reply:* Seems to run android 7.1 I don’t see why you couldn’t side load an agent... not sure what control you’d get over it though

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-13 21:14:29

*Thread Reply:* Love to see the results though!

macbentosh (benbergthold@gmail.com)
2018-11-13 21:31:06

*Thread Reply:* I just want to block apps and add wifi

macbentosh (benbergthold@gmail.com)
2018-11-13 21:37:06

*Thread Reply:* anyone have the latest apk handy

Jason Bayton (jason@bayton.org)
2018-11-13 22:25:41

*Thread Reply:* I've enrolled the Xperia Touch and it locks down lovely.

Jason Bayton (jason@bayton.org)
2018-11-13 22:27:27
macbentosh (benbergthold@gmail.com)
2018-11-13 22:40:13

*Thread Reply:* Noice

macbentosh (benbergthold@gmail.com)
2018-11-13 22:54:26

*Thread Reply:* Now I need a whole new set of policies

macbentosh (benbergthold@gmail.com)
2018-11-13 23:06:05

@Jason Bayton are you able to look at my wifi config and tell me why android hates it?

Jason Bayton (jason@bayton.org)
2018-11-13 23:58:18

*Thread Reply:* Sure

macbentosh (benbergthold@gmail.com)
2018-11-14 15:33:39
Jason Bayton (jason@bayton.org)
2018-11-14 21:44:20

*Thread Reply:* Hmm, and what’s Android not doing with that?

macbentosh (benbergthold@gmail.com)
2018-11-14 21:50:34

*Thread Reply:* the proxy and passing creds

Jason Bayton (jason@bayton.org)
2018-11-14 21:53:17

*Thread Reply:* Do you see the certs pushed to the device at least to begin with?

macbentosh (benbergthold@gmail.com)
2018-11-14 22:33:04

*Thread Reply:* no

Jason Bayton (jason@bayton.org)
2018-11-14 22:33:24

*Thread Reply:* Are the relevant certs assigned to labels?

macbentosh (benbergthold@gmail.com)
2018-11-14 23:47:11

*Thread Reply:* they dont get applied just told they can trust it.

Jason Bayton (jason@bayton.org)
2018-11-15 06:13:30

*Thread Reply:* If in doubt, assign to labels; like Windows Phone, things like SCEP need to be assigned directly to the AE device label(s), so I’d rule that out

Jonas Hofer (jonas.hofer@nomasis.ch)
2018-11-14 08:00:41

@Jonas Hofer has joined the channel

Peter-Marc Krombos (pm.krombos@gmail.com)
2018-11-14 08:26:50

@Peter-Marc Krombos has joined the channel

Nicola (nicola.aloise@nomasis.ch)
2018-11-14 09:32:01

@Nicola has joined the channel

JF Rigot (jr@mob.co)
2018-11-14 11:46:19

Hi All, I would like to implement O365 with cert-based authentication. Ok for the native app, but what if I want to reduce the user-interaction... with the Outlook app? Is there a way to push config that will not prompt the user for any password?

JF Rigot (jr@mob.co)
2018-11-14 11:50:48

It does seems like it is feasible here (https://docs.microsoft.com/en-gb/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune) but isn't that limited to Intune? What about MobileIron?

docs.microsoft.com
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-14 11:58:43

*Thread Reply:* Yes, but it has to route via the MS Authenticator app I believe.

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/AzureAD-Certificate-based-authentication-for-iOS-and-Android-now/ba-p/244999

TECHCOMMUNITY.MICROSOFT.COM
👍 JF Rigot
JF Rigot (jr@mob.co)
2018-11-14 12:23:32

*Thread Reply:* ok, Did not think of this one. Thanks. Will investigate

Woody (eric.woodland@trust.tc)
2018-11-14 13:46:11

*Thread Reply:* @JF Rigot so you are wanting to deploy a CBA Exchange Configuration to iOS/Android for ActiveSync and then have a similar experience the Outlook (modern) clients. Correct?

Woody (eric.woodland@trust.tc)
2018-11-14 13:47:52

*Thread Reply:* Are you using MobileIron Cloud or Core?

Woody (eric.woodland@trust.tc)
2018-11-14 13:49:18

*Thread Reply:* If you’re able to, I would begin considering walling-off ActiveSync. If it needs to stay around, go the CBA route. For Modern, your best bet is to use MobileIron Access and it’s Mobile SSO feature.

JF Rigot (jr@mob.co)
2018-11-14 14:31:05

*Thread Reply:* Core.

JF Rigot (jr@mob.co)
2018-11-14 14:31:42

*Thread Reply:* But it might be a bit ambitious 🙂

Woody (eric.woodland@trust.tc)
2018-11-14 14:32:27

*Thread Reply:* Sending you a document in DM

RobE (robert.kreuzer@outlook.com)
2018-11-14 12:20:12

Guys, does the host pairing restriction within the restriction on Core prevent access to the storage on the iOS device when connected via USB?

Mark Vonk (mark.vonk@dahvo.com)
2018-11-14 13:42:54

Indeed. If you restrict host pairing, the device does not respond to USB on any other host than the configuration host (if applicable).

Mark Vonk (mark.vonk@dahvo.com)
2018-11-14 13:47:15

It is a Supervised restriction. If you supervise the device using configurator, you can deploy the configurator certificate. In that case, the device can still pair with the configurator host. If supervised using dep or if you do not supply the certificate, the device can’t connect to any host anymore. This includes windows, apple, iTunes, etc.

RobE (robert.kreuzer@outlook.com)
2018-11-14 18:00:19

*Thread Reply:* Thanks Mark for the quick reply. Sounds great! 🤙

Arjan Vermeulen (mobilxperts@arjanvermeulen.nl)
2018-11-14 14:15:58

@Arjan Vermeulen has joined the channel

Alex Chappuis (alex@creasion.ch)
2018-11-14 14:21:18

@Alex Chappuis has joined the channel

Paul Troisi (ptroisi@troymobility.com)
2018-11-14 14:34:51

@Paul Troisi has joined the channel

Tim Ward (tim.ward@artisanpartners.com)
2018-11-14 14:44:46

@Tim Ward has joined the channel

Jason Bayton (jason@bayton.org)
2018-11-14 21:51:12

@here

} Kory Harker (https://mobilxperts.slack.com/team/UE3D39KV1)
Kory (kharker@cradlepoint.com)
2018-11-14 21:52:34

@Kory has joined the channel

Russell Mohr (rmohr@mobileiron.com)
2018-11-15 00:14:52

@Kory devices check in hourly-- all devices including macOS

✅ Woody
Russell Mohr (rmohr@mobileiron.com)
2018-11-15 00:15:12

Device enrollment with Apple Business Manager is supported

Russell Mohr (rmohr@mobileiron.com)
2018-11-15 00:18:55

Are you on Cloud or Core btw?

Kory (kharker@cradlepoint.com)
2018-11-15 03:02:30

@Russell Mohr Cloud

Russell Mohr (rmohr@mobileiron.com)
2018-11-15 03:05:28

@Kory you are a current MobileIron customer? Check out the macOS Center of Excellence at https://community.mobileiron.com/docs/DOC-5371

Kory (kharker@cradlepoint.com)
2018-11-15 03:06:22

I am a current customer, we just signed the contract recently, but I do not have a community login. I was just filing the request

Russell Mohr (rmohr@mobileiron.com)
2018-11-15 03:06:35

gotcha

Russell Mohr (rmohr@mobileiron.com)
2018-11-15 03:08:17
Kory (kharker@cradlepoint.com)
2018-11-15 03:12:17

Thank you. Now I just need to locate my account number.

Russell Mohr (rmohr@mobileiron.com)
2018-11-15 03:22:25

what company are you with?

Russell Mohr (rmohr@mobileiron.com)
2018-11-15 03:23:26

nevermind- I found you

Subbzz (s.subiah@septagon.co.nz)
2018-11-15 07:24:23

@Subbzz has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-11-15 16:45:10

Guys we talked about this in the past - give me some input how you handle the best practises in terms of device backup of an MobileIron enrolled device. Use Case: Private use is allowed on company owned devices. Users are taking backups (iOS=iTunes or iCloud, Android=Smart Switch). I know that you, @Jason Bayton mentioned that you would not allow backups. What would you reccommend? I don’t see a problem when an MobileIron enrolled devices is being restored - should be able to find it’s way back to Core, right? Enable backup data of AppConnect apps like Email+? I think there are a lot of moving parts.

Jason Bayton (jason@bayton.org)
2018-11-15 16:49:40

I'm not in favour of enabling backups, no. Not unless it's a BYOD/COPE device anyway.

👍 RobE
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-15 16:50:55

I don't see any major harm as long as any corporate apps are flagged as managed and backup of those apps is disabled.

👍 RobE
RobE (robert.kreuzer@outlook.com)
2018-11-15 16:54:58

OK got it, thanks. Well on BYOD/COPE, is that even possible to restore the data within the work profile/worspace?

RobE (robert.kreuzer@outlook.com)
2018-11-15 16:55:31

Google told us there is no way to grab the data within the workspace

Jason Bayton (jason@bayton.org)
2018-11-15 17:05:05

I was referring to personal data only - backup service is disabled by default in the profile and there's nothing to back it up to unless you push a service or managed Google account yourself I guess

🤙 RobE, Simon Hardy-Bistagne
RobE (robert.kreuzer@outlook.com)
2018-11-15 17:59:00

Sounds logical!

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-15 18:00:19

I forget my head is normally in the Apple world... Yeah, for Corp dedicated on Android I'd block it... iOS I'm not fussed too much

👍 RobE
Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 18:26:12

Not anymore with iOS. There used to be some issues when the backup was restored and how the Mobile@work app responded to that. But if you make sure the iCloud backup does not contain managed app data, everything should be fine.

👍 RobE
Jeroen J.V Lebon (Open for new opportunities) (jeroen.lebon@citrix.com)
2018-11-15 19:34:39

@Jeroen J.V Lebon (Open for new opportunities) has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-11-15 19:34:53

Nice, gotta check that out.

RobE (robert.kreuzer@outlook.com)
2018-11-15 19:38:07

Again I need to throw this question into the ring: was anybody able to find a car that works with CallKit and iOS Email+ in terms of the caller-id and calling business contacts through the car console? This is the number one question I get from customers all the time and I was not able to find a solution yet!

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:06:07

My Volvo has CarPlay and that works with Email+ and the Callkit feature. If I switch to regular Bluetooth connection between it and the iPhone, it does not display the caller ID. Callkit is for identifying incoming calls only. So it does not work for calling business contacts anyway.

RobE (robert.kreuzer@outlook.com)
2018-11-15 20:10:41

Ah yikes, got it. So when the business contacts are locked within Email+ you are also not able to call them with CarPlay, right? At least on iOS the native mail app could come into play for that since the managed contacts can be secured.

RobE (robert.kreuzer@outlook.com)
2018-11-15 20:11:55

I have seen the option „export to CallKit“ within the iOS Email+ settings, whats that for?

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:13:29

Not able to call them indeed. Only see the caller ID when being called. With iOS 12, you can set the read/write to managed contacts again. That should allow users to export contacts from email+ again to the native contacts app.

RobE (robert.kreuzer@outlook.com)
2018-11-15 20:20:15

😱 Good lord, totally forgot about that. Not really clear to me how I can use it. So if I enable that, I can export the contacts from Email+ into the native contacts app. But where is the difference between the iOS 11.3 feature „allow unmanaged documents access managed documents“..

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:27:38
Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:27:38

In iOS 11.3 the contacts app adhered to the concept of managed and unmanaged data. If you use mdm to push an Exchange config, the contacts are managed. If you use Email+ as a managed app, you could not export the contacts (managed because in the managed Email+ app) to the native contacts app (unmanaged)

In iOS 12, you can use MDM to make the following exceptions to this policy:

Allow unmanaged apps to access managed contacts (for example allow WhatsApp to read managed contacts in the native contacts app)

Allow managed apps to save contacts to the local Contacts app (for example allow Email+ to save contacts to the native contacts app)

So depending on what you want, you should set the second (at least for your car issues) and maybe the first if want other apps to use the contacts also.

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:28:16

Tried to upload the config, but does not seem to work from my iPhone.... seems like it’s uploaded as a picture. If you need it, let me know.

RobE (robert.kreuzer@outlook.com)
2018-11-15 20:29:21

This is awesome, thank you so much Mark! 🍺 Sounds good!

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:32:26

No problem. To be honest, I would use those instead of relying on Carkit features. It’s too limited and does not universally work. Most organizations do not require contact information to be securely contained.

RobE (robert.kreuzer@outlook.com)
2018-11-15 20:33:51

Right. Well most of our use cases are WhatsApp is not allowed to use the business contacts and Caller-ID in the car must work! 😊

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:38:11

Ok, you would need the second. MobileIron does not have a restriction setting for it, I believe. So you would need to push a mobileconfig. Create an empty one and add the following:

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:38:59
RobE (robert.kreuzer@outlook.com)
2018-11-15 20:39:39

Perfect, thanks! In addition to the 11.3 feature, right?

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:43:44

In addition? the 11.3 feature is not something you can change. This is only needed if you have/had the restriction "Allow documents from managed apps to unmanaged apps" turned off (de-selected). If you have this checked (so Allowed), contacts export from Email+ should have worked anyway. This restriction has been available for a long time, but did not apply to contacts because the native contacts app did not respect managed vs. unmanaged data/accounts. This became into effect with iOS 11.3.

RobE (robert.kreuzer@outlook.com)
2018-11-15 20:50:45

Ok, right now „allow documents from managed apps to unmanaged apps“ is de-selected with most of our customers, but with this they use Native Mail App - WhatsApp has no access to Exchange, and Caller-ID works as well.

👍 Woody
RobE (robert.kreuzer@outlook.com)
2018-11-15 20:53:36

I will test this with Email+ like you mentioned!

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:55:05

Caller ID always works, regardless the restrictions set. As long as your contacts are in the native contacts apps.

RobE (robert.kreuzer@outlook.com)
2018-11-15 20:55:33

Right

Mark Vonk (mark.vonk@dahvo.com)
2018-11-15 20:59:10

With Email+, you are trying to export (write) the contacts (managed) to the native contacts apps (unmanaged). So that flow is: write from managed to unmanaged). Thats different than 3rd party apps (WhatsApp, unmanaged) trying to get read access to the native contacts that are from a MDM managed Exchange account (managed). That flow is: read from unmanaged app (in)to managed contacts

👍 Woody
RobE (robert.kreuzer@outlook.com)
2018-11-15 21:00:51

Perfect explanation! Thanks! 🙏 Let‘s do it!

David Arvidsson (david.arvidsson@techstep.se)
2018-11-16 10:08:22

@David Arvidsson has joined the channel

Almar Diehl (almar.diehl@blaud.com)
2018-11-16 11:48:43

@Almar Diehl has joined the channel

Tobias (tobias.gruenewald@ebf.com)
2018-11-16 16:20:18

Apparently I am not finding enough time for this Slack 😞 So apologies for responding to a request from a few days ago. But I thought this might be helpful for some...

You can use Epoch/Unix millisecond timestamps in elasticsearch filter criteria. An example:

"common.registration_date" >= 1542240000000

All devices registered since yesterday.

} Ben (https://mobilxperts.slack.com/team/U5BE2DYRH)
🙏 fridomac
Captain Web (tristan.valente@amaris.com)
2018-11-16 16:24:27

@Tobias Another useful tip with criterias is that you can use the value “null” for a custom attribute. When you create a custom attribute it is instantly attributed to every device. Instead of having a real null value (meaning there is nothing), the value is a string called “null”, so you can use this to create an Custom attribute that is “set” for everyone by default without actually assigning it. Just a cool tip

Captain Web (tristan.valente@amaris.com)
2018-11-16 16:25:25

Particularyl useful when you need to split some conf distribution and LDAP groups is not valid criteria

Almar Diehl (almar.diehl@blaud.com)
2018-11-16 16:26:47

I don’t know when MobileIron sneaked this one in but Core 10 shows an extra device attribute called Security Patch Level Date. Before we only had Security Patch Level which was not a date field. With the new attribute it is now possible to create labels/compliance rules based on the Android patch level. Either use “android.securitypatchdate” <= “now-30d” to have a label with all devices with a patch level older then 30 day or (f.i.) “android.securitypatchdate” < 1541030400000 to have a label with all devices with a patch < november first 2018.

👍 Captain Web
Jason Bayton (jason@bayton.org)
2018-11-16 16:27:31

It’s been there a little while I think, and is a very cool attribute!

Kory (kharker@cradlepoint.com)
2018-11-16 19:00:58

@here Any tips with registering the LDAP Connector? The registration fails stating, please check your username and password. I have tried multiple times and I can login to the Cloud tenant with this username and password. Any ideas?

Woody (eric.woodland@trust.tc)
2018-11-16 19:15:39

LDAP Connector for MobileIron Core/Cloud or either @Kory?

Kory (kharker@cradlepoint.com)
2018-11-16 19:15:48

Cloud

Woody (eric.woodland@trust.tc)
2018-11-16 19:16:20

It’s been a minute, but I recall the syntax having to be just right

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:18:48

@Mark Vonk could you send me that config which works for you? I can export the contacts from Email+, but unmanaged apps like WhatsApp or Signal can still grab the business contacts. “Managed apps write to unmanaged contacts is allowed” - also “Opening documents from managed to unmanaged apps not allowed”..

Mark Vonk (mark.vonk@dahvo.com)
2018-11-16 19:21:39

What does the mobileconfig file look like now?

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:30:23

*Thread Reply:* I have created the payload with the AC2 - these are active:

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:30:35

*Thread Reply:*

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:30:44

*Thread Reply:*

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:30:56

*Thread Reply:*

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:31:50

*Thread Reply:* I have 12.0.1

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:34:24

*Thread Reply:* Oh, in the settings on device I can see that the payload is different: Unmanaged apps read manage contacts allowed - what the hell? It is set to false in the XML.

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:40:25

*Thread Reply:*

RobE (robert.kreuzer@outlook.com)
2018-11-16 19:59:44

*Thread Reply:* ok now I have only the one option :

RobE (robert.kreuzer@outlook.com)
2018-11-16 20:00:10

*Thread Reply:*

RobE (robert.kreuzer@outlook.com)
2018-11-17 12:39:27

*Thread Reply:* If you can spot the mistake let me know!

RobE (robert.kreuzer@outlook.com)
2018-11-17 12:49:12

*Thread Reply:* Thats the config (from AC2)

Mark Vonk (mark.vonk@dahvo.com)
2018-11-17 14:24:12

*Thread Reply:* I understand now indeed. The contacts that are exported from Email+ to the native contacts, are unmanaged contacts. So any app can read them after they have been exported. Only managed contacts are not shared with unmanaged apps.

👌 RobE
RobE (robert.kreuzer@outlook.com)
2018-11-17 16:00:31

*Thread Reply:* Yikes. That means there is no solution for this?

RobE (robert.kreuzer@outlook.com)
2018-11-17 16:02:45

*Thread Reply:* I thought if the contacts came from a managed app they are also managed contacts..

Mark Vonk (mark.vonk@dahvo.com)
2018-11-18 08:32:55

*Thread Reply:* They are unmanaged. One rule is to allow for apps to export contacts to the native contacts app. At that point they are unmanaged. The other rule allows for unmanaged apps to access managed contacts. That only works for managed contacts (ie mdm pushes Exchange configs). I do not see a solution with those two rules for your use case. You have the most options if you use the native apps instead of email+ for this use case.

RobE (robert.kreuzer@outlook.com)
2018-11-18 10:11:53

*Thread Reply:* You are right.. So at the moment for GDPR compliance and car Bluetooth caller id lets stick with the native client.

Almar Diehl (almar.diehl@blaud.com)
2018-11-16 19:24:51

@Kory Any special characters in the username?

Kory (kharker@cradlepoint.com)
2018-11-16 19:25:23

the username has a dash *-*

Almar Diehl (almar.diehl@blaud.com)
2018-11-16 19:26:35

I don't think dash should cause an issue. I know that + in the username does.

Kory (kharker@cradlepoint.com)
2018-11-16 19:27:36

Can I verify network connectivity on this VM somehow?

Almar Diehl (almar.diehl@blaud.com)
2018-11-16 19:28:45

Yes, you should be able to telnet to your MI cloud instance on port 443.

Kory (kharker@cradlepoint.com)
2018-11-16 19:33:31

I actually do not have telnet as a command available 😕

Almar Diehl (almar.diehl@blaud.com)
2018-11-16 19:34:06

Did you first switch to enable?

Kory (kharker@cradlepoint.com)
2018-11-16 19:36:46

yes

Kory (kharker@cradlepoint.com)
2018-11-16 19:37:27

The only t command I have available is traceroute

Kory (kharker@cradlepoint.com)
2018-11-16 19:37:47

but that actually works to verify I can get out

Kory (kharker@cradlepoint.com)
2018-11-16 19:38:51

or ping haha

Woody (eric.woodland@trust.tc)
2018-11-16 19:39:23

Well, those validate DNS resolution and ICMP connectivity

Kory (kharker@cradlepoint.com)
2018-11-16 19:39:36

do I have the tenant admin username wrong? I am using the account I use to login to our cloud tenant and make Administrative changes.

Woody (eric.woodland@trust.tc)
2018-11-16 19:39:38

But you need Telnet to validate you can speak to the Tenant on 443

Kory (kharker@cradlepoint.com)
2018-11-16 19:39:48

ah yes

Woody (eric.woodland@trust.tc)
2018-11-16 19:43:01

What was the initial Tenant Admin account that was created for your instance of MI Cloud? Go with that

Kory (kharker@cradlepoint.com)
2018-11-16 19:44:03

Yes that is what I am using

Woody (eric.woodland@trust.tc)
2018-11-16 19:47:31

and you say that you are inside the Enable mode. Yeah?

Kory (kharker@cradlepoint.com)
2018-11-16 19:48:31

Correct

Almar Diehl (almar.diehl@blaud.com)
2018-11-16 19:49:38

Any special characters in the password? If so the VMware settings might actually have you type a wrong password. Try and type the password in the username field and see if it is actually OK.

Kory (kharker@cradlepoint.com)
2018-11-16 19:54:43

Okay that verified as correct when I typed the password in the username field.

Kory (kharker@cradlepoint.com)
2018-11-16 19:54:50

Thank both of you for all the help by the way.

Woody (eric.woodland@trust.tc)
2018-11-16 19:57:50

Okay, so did it accept after you did that?

Kory (kharker@cradlepoint.com)
2018-11-16 19:58:43

nope

Kory (kharker@cradlepoint.com)
2018-11-16 19:59:04

I just SSH’d into the VM so I could copy and paste to take the “human” out of the equation of typing the password and it still failed

Woody (eric.woodland@trust.tc)
2018-11-16 19:59:25

Ah, gotcha

Woody (eric.woodland@trust.tc)
2018-11-16 19:59:30

Good approach

Woody (eric.woodland@trust.tc)
2018-11-16 20:00:20

Try this

Woody (eric.woodland@trust.tc)
2018-11-16 20:00:26

Enable --> connector test

Woody (eric.woodland@trust.tc)
2018-11-16 20:01:00

See if all 4 tests succeed

Kory (kharker@cradlepoint.com)
2018-11-16 20:05:56

Success on all of them.

Woody (eric.woodland@trust.tc)
2018-11-16 20:09:00

That’s good. Doesn’t fix the issue, but good to know

Jason Bayton (jason@bayton.org)
2018-11-16 22:12:00

Folks does anyone know why https://accounts.google.com/oauth2/token is coming back as failed under services in every core I have access to? Noticed it a while back and it's had no affect on anything, so I'm just curious

NicolasR (raison_nicolas@me.com)
2018-11-17 11:00:07

*Thread Reply:* Known issue without impact. Fixed in core 10.2

Jason Bayton (jason@bayton.org)
2018-11-17 11:32:19

*Thread Reply:* Wonderful thank you!

Kory (kharker@cradlepoint.com)
2018-11-16 22:45:19

@Woody In case you were curious, I must not have had the required role for my user. I created a new user, promoted them to all roles and I was able to register. I know I have the system management role assigned, but I guess that isn’t enough.

✅ Woody
Woody (eric.woodland@trust.tc)
2018-11-17 01:10:15

Interesting! Thanks for the update @Kory

RobE (robert.kreuzer@outlook.com)
2018-11-20 10:32:43

How do you guys handle the topic shared mailboxes on ActiveSync devices - specifically deploy an additional mailbox (which could be a shared mailbox) for iOS (native, since to my knowledge it is currently not possible with iOS Email+) and Android enterprise Email+ (one additional account possible).. is this even supported from Microsoft? As I understand it is not possible to map a shared mailbox via EAS. How do you handle this? Do you get that often as a use case with customers?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-20 10:56:25

*Thread Reply:* As long as the shares mailbox has an ad username you can deploy it and access it via activesync.

You are limited to only 100 devices though as this is the maximum activesync devices exchange will allow on any single mailbox.

We only do it for very occasional requests but deploying down the account with credentials preloaded into the settings.

👍 Woody
RobE (robert.kreuzer@outlook.com)
2018-11-20 10:59:53

*Thread Reply:* But does a shared mailbox have a password? Because It gets mapped automatically without using credentials within Outlook. It is not an AD user account, right?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-20 11:05:56

*Thread Reply:* Not natively but you can convert it to a different what is essentially a service account details.

It will need its own licence though.

RobE (robert.kreuzer@outlook.com)
2018-11-20 13:02:57

*Thread Reply:* Ok got it! Thx

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-11-20 13:28:06

*Thread Reply:* Shared Mailboxes are more and more requested by customers. We are using the native email app on iOS. It's working well with Kerberos. There is also a known-iOS issue if multiple exchange profiles are using the same activeSync address (sentry.mydomain.com), so as a workaround we are using DNS aliases to make sure there is no synchronization problem, e.g. sentry1,sentry2 etc. pointing to the same IP address. Of course the SSL certificate has to include SAN attributes. For Android Enterprise we recommend the setup with Email+. Also working fine with Kerberos. In all cases we need to manually allow the activeSync association, since the device is not registered with the same user ID has the mailbox. Drop me an email if you need more information!

👍 RobE, Woody, Mark Vonk
Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-11-20 13:29:23

*Thread Reply:* BTW: mobileIron has the shared Mailbox feature in Email+ iOS on the roadmap since more than a year...and it always get postponed.... so I have some doubts it will be ever implemented...

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-20 14:06:27

*Thread Reply:* Yes I think this is on the roadmap for Outlook too... They've released the feature to access the shared calenders a few weeks ago. So mailbox access should follow.

RobE (robert.kreuzer@outlook.com)
2018-11-20 14:15:23

*Thread Reply:* Wow Alex, that known iOS issue passed by me, thanks for the info! Do you have a reference for that bug? So you did enable the shared mailbox user accounts and then use a costum attributes for the passwords within the exchange and AE Email+ configs, right?

Woody (eric.woodland@trust.tc)
2018-11-20 15:03:57

*Thread Reply:* @Alex Chappuis this is what we did for those situations as well. Happened to have a wildcard certificate, so just created a new DNS entry and forwarded to the Sentry. Administrative Assistants were never so happy as they were when we rolled that out.

😃 Alex Chappuis, RobE
Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-11-20 15:08:43

*Thread Reply:* @RobE I don't have any :apple_icon: tracking number but just try to distribute two configurations on a single iOS device (with the same backend URL) - you will see that iOS is mixing the inboxes and does not behave as it should! we don't need any password since we are using Kerberos. We are using dedicated SCEP template with hardcoded User UPNs and DNs. That's the beauty of EMM Admin's power 😲 the SCEP Master has simply access to any mailbox (this is btw a risk that has to be explained carefully to the customer). We did not need custom attributes. Just hardcoding some parameters and using the variable $NULL$

👍 RobE, Nicola
RobE (robert.kreuzer@outlook.com)
2018-11-20 15:40:56

*Thread Reply:* Right, should have read Kerberos in your posting 😂

Phil Hackett (phil.hackett83@gmail.com)
2018-11-21 05:32:05

We’ve got reports that the Mobile@Work client is not available in China Apple App Store. Anyone else heard this? The Pulse Secure VPN client was just restored to the App Store in China. It took over a month to get that sorted out....now this! 😤😡

😢 NicolasR
Phil Hackett (phil.hackett83@gmail.com)
2018-11-21 05:47:11

*Thread Reply:* We just got confirmation from Apple that the client is no longer available in China. This is what our users are seeing:

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-11-21 09:55:28

*Thread Reply:* there used to be a similar issue for MI tunnel back in time, it's been replaced by MI Centaur: https://itunes.apple.com/us/app/mobileiron-centaur/id1315143363?mt=8 Or https://community.mobileiron.com/docs/DOC-7346

App Store
Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-11-21 09:55:48

*Thread Reply:* I don't know if there is also an alternative for M@W

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-11-21 09:56:20

*Thread Reply:* you should ask MI directly!

Phil Hackett (phil.hackett83@gmail.com)
2018-11-21 10:01:21

*Thread Reply:* We’ve got cases open with MI and Apple. The workaround for us will be using clientless (ireg) and pushing the client using VPP.

👍 Woody
Woody (eric.woodland@trust.tc)
2018-11-21 16:15:40

*Thread Reply:* @Phil Hackett In that scenario, would the client derive from a US-based App Store or the China instance?

Woody (eric.woodland@trust.tc)
2018-11-21 16:15:58

*Thread Reply:* If it tried to pull from the China instance, wouldn’t it fail?

Woody (eric.woodland@trust.tc)
2018-11-21 16:16:12

*Thread Reply:* Might be time for MobileIron to update the “Mobile@Work In-House SDK” offering

RobE (robert.kreuzer@outlook.com)
2018-11-21 18:06:05
RobE (robert.kreuzer@outlook.com)
2018-11-21 18:06:08

*Thread Reply:* It is known..

RobE (robert.kreuzer@outlook.com)
2018-11-21 18:06:33

*Thread Reply:* Symptoms: We have received reports that the Mobile@Work application is no longer available in the Chinese App Store beginning on 21 November 2018. Resolution: MobileIron is investigating the cause of this internally and this document will be updated as new information becomes available. The Mobile@Work application remains available in all other regional App Stores.

👍 Woody
Phil Hackett (phil.hackett83@gmail.com)
2018-11-22 08:35:15

*Thread Reply:* We are able push the Mobile@Work client using device-based VPP. Not sure if this works because our VPP account is from US?

Woody (eric.woodland@trust.tc)
2018-11-23 15:22:10

*Thread Reply:* IIRC Apple said the VPP would follow wherever the top-level account was established

Woody (eric.woodland@trust.tc)
2018-11-23 15:23:18

*Thread Reply:* It’s been awhile since that conversation was had tho

Phil Hackett (phil.hackett83@gmail.com)
2018-11-23 15:25:07

*Thread Reply:* We are assuming the same as well. I’ll throw this question to Apple account manager next week.

👍 Woody
msavolainen (mikko.savolainen@datainfo.fi)
2018-11-21 12:06:48

@msavolainen has joined the channel

Sascha Mogler (sascha@mogler.com)
2018-11-21 17:48:20

@Sascha Mogler has joined the channel

Mathieu Beaugrand (beaugrandma@gmail.com)
2018-11-22 23:15:52

@Mathieu Beaugrand has joined the channel

Rob (robertmjames22@gmail.com)
2018-11-26 23:16:50

@Rob has joined the channel

fridomac (fridomac@googlemail.com)
2018-11-27 13:13:25

Hello everyone! Just updated my 9.7.02-Core to 10.1.0.1…. now I am getting lots of Errors in the MIFS Log (which might be nothing, but are concerning nonetheless):

fridomac (fridomac@googlemail.com)
2018-11-27 13:13:33

```Cannot determine the encryption version from cipher-text````

fridomac (fridomac@googlemail.com)
2018-11-27 13:14:16

and ```[PolicyProfileBuilderUtils.getDecryptedString:50] (MIServerWorker-0:) Unable to decrypt:````

fridomac (fridomac@googlemail.com)
2018-11-27 13:14:39

Anybody know what that means? Clients are checking in normally, all Services are verified OK..

Karim (karim.trivier@codalis.ch)
2018-11-27 13:16:00

@Karim has left the channel

Woody (eric.woodland@trust.tc)
2018-11-27 13:44:53

Hello @fridomac - I can’t say I’ve come across those recently. I wonder if the Core is receiving a connection from an older host that’s running SSL or a lower version of TLS, etc. The two errors seem to go hand-in-hand (somewhat). Have you submitted a ticket with support?

fridomac (fridomac@googlemail.com)
2018-11-27 13:47:37

Thanks for the reply @Woody No, as we only seem to have support through a partner (that has gone out of business since) and not through MI directly.

Woody (eric.woodland@trust.tc)
2018-11-27 13:52:08

Ah, okay @fridomac. Sorry to hear that. I’ll check around and see if I can “decrypt” where those messages are stemming from.

Mark Vonk (mark.vonk@dahvo.com)
2018-11-27 14:27:03

@fridomac do you have a DEP connection set up?

fridomac (fridomac@googlemail.com)
2018-11-27 14:30:13

@Mark Vonk yes, I have…

fridomac (fridomac@googlemail.com)
2018-11-27 14:32:58

The DEP sync seems to complete OK…

Mark Vonk (mark.vonk@dahvo.com)
2018-11-27 15:01:13

Ok, any text around the actual error? That might point us what MIFS is doing at that time.

fridomac (fridomac@googlemail.com)
2018-11-27 15:27:32

Had to leave the office early today, will check the logs tomorrow and post them. There was no text that sprang out to me as to what it was doing... I had a lot of devices checking in at the time after the Core was down for the upgrade... Thank you for helping 🙏:skintone3:

Rob (robertmjames22@gmail.com)
2018-11-27 15:33:02

Work for MI. Lots of customers making that upgrade (a very very large one comes to mind) are having that issue. Will need to update the ciphers used in system manager. Will get more information when I have a moment.

👏 Woody, fridomac
Rob (robertmjames22@gmail.com)
2018-11-27 15:38:17

Tldr; set ciphers to default and test in dev first.

"failure for a number of devices to check in was due to an SSL hanshake error when connecting to api.push.apple.com. This host is used for the APNSv2 which Apple will be switching to very shortly.

Reviewing the Core's outbound SSL settings, and comparing the cipher list with those successfully selected by api.push.apple.com it was found that Core did not have the appropriate ciphers selected for outbound connections. We set the list to the default recommended cipher suites (which, in the proess, removed a number of outdated and insecure ciphers).

After restarting the MIFS service we performed a fore checkin on your device and reviewed the logs for any failures. The device did check in, and no more SSL handshake failures were seen."

👍 JP Guldfeldt, fridomac
Rob (robertmjames22@gmail.com)
2018-11-27 15:39:23

Hope that helps mate!

Denmaru (florian.lampel@cancom.at)
2018-11-27 15:54:37

@Denmaru has joined the channel

Anders Ekelund (anders.ekelund@techstep.se)
2018-11-28 11:47:34

@Anders Ekelund has joined the channel

Denmaru (florian.lampel@cancom.at)
2018-11-28 13:34:36

Hello everyone! Is there anything else to do in order to restore a MI Core from a backup file than going to System Manager --> Management --> System Backup, selecting the file and clicking on “Restore”?

NicolasR (raison_nicolas@me.com)
2018-11-28 14:14:47

Required:

  • Create a new CORE from scratch with the same version as in the backup My experience: You should disable device traffic from reaching the CORE unless they could be devices retired unexpectedly
👍 Alex Chappuis
fridomac (fridomac@googlemail.com)
2018-11-28 14:59:02

@Rob Thank you for the answer. I did that by accident, after the first upgrade from 9.7.0.2 to 10.0.1.0 i rest the ciphers to default, and then did the upgrade to 10.1.0.1. Today everything seems to work fine, devices checking in etc.

Rob (robertmjames22@gmail.com)
2018-11-28 15:01:36

Perfect! Glad it's working now and happy to help!

👏 Woody, fridomac
Rob (robertmjames22@gmail.com)
2018-11-28 15:02:32

@Denmaru if all you are doing is restoring a Core from the system manager you will just need to make sure devices are not checking in, downloading apps, registering devices, etc while this is happening. I am not sure why an additional new Core VM was suggested

✅ Woody
RobE (robert.kreuzer@outlook.com)
2018-11-28 20:51:42

*Thread Reply:* Wow that is news to me. What about migrating an existing Core with round about 10.000 devices to a new Core on a different location ? My plan would be: create a new Core VM (same FQDN) on the new location with the same software version, set all the Firewall rules for the new Core. Export a System backup from the old Core and import the backup into the new Core. Last step switch DNS over to the new one.

Mark Vonk (mark.vonk@dahvo.com)
2018-11-29 14:08:29

*Thread Reply:* Just make sure, when you restore the backup, to select "Exclude System Configs on Restore". Assuming your new Core in a different location, will have a different system config (IP address, interfaces, routes, etc.)

fridomac (fridomac@googlemail.com)
2018-11-28 15:04:08

The only error message I still get is 2018-11-28 15:02:33,823 ERROR [Request.parse:1581] (http-bio-127.0.0.1-8083-exec-1031:) Error in status : ERROR 2018-11-28 15:02:33,823 ERROR [Request.parse:1582] (http-bio-127.0.0.1-8083-exec-1031:) Response Error : &lt;?xml version="1.0"?&gt; &lt;!DOCTYPE plist SYSTEM "<file://localhost/System/Library/DTDs/PropertyList.dtd>"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;CommandUUID&lt;/key&gt; &lt;string&gt;UUID redacted&lt;/string&gt; &lt;key&gt;ErrorChain&lt;/key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;ErrorCode&lt;/key&gt; &lt;integer&gt;12021&lt;/integer&gt; &lt;key&gt;ErrorDomain&lt;/key&gt; &lt;string&gt;MCMDMErrorDomain&lt;/string&gt; &lt;key&gt;LocalizedDescription&lt;/key&gt; &lt;string&gt;&amp;#8222;ScheduleOSUpdateScan&amp;#8220; ist kein g&amp;#252;ltiger Anfragetyp.&lt;/string&gt; &lt;key&gt;USEnglishDescription&lt;/key&gt; &lt;string&gt;&amp;#8220;ScheduleOSUpdateScan&amp;#8221; is not a valid request type.&lt;/string&gt; &lt;/dict&gt; &lt;/array&gt; &lt;key&gt;Status&lt;/key&gt; &lt;string&gt;Error&lt;/string&gt; &lt;key&gt;UDID&lt;/key&gt; &lt;string&gt;REDACTED&lt;/string&gt; &lt;/dict&gt; &lt;/plist&gt;

Mark Vonk (mark.vonk@dahvo.com)
2018-11-29 14:10:48

*Thread Reply:* I see this error on many Core 10 servers. I always assumed this is because the device(s) might not be supervised (and the Scheduled OS Update command is for supervised devices only)

fridomac (fridomac@googlemail.com)
2018-11-29 14:24:56

*Thread Reply:* Might be, we still have some unsupervised devices (one of the tenant of our MI server does not believe in DEP and finds it “too hard”)

Mark Vonk (mark.vonk@dahvo.com)
2018-11-29 14:54:42

*Thread Reply:* Yeah, in that case I would ignore the error.

fridomac (fridomac@googlemail.com)
2018-11-29 17:16:39

*Thread Reply:* Will do that, thank you!

fridomac (fridomac@googlemail.com)
2018-11-28 15:04:31

Which I think is something related to german localization….

fridomac (fridomac@googlemail.com)
2018-11-28 15:04:38

Thank you for all the help!

Woody (eric.woodland@trust.tc)
2018-11-28 15:17:11

Go @Rob and @fridomac!

Jay (jessica.jamison@hotmail.com)
2018-11-28 20:24:48

@Jay has joined the channel

msavolainen (mikko.savolainen@datainfo.fi)
2018-11-29 13:41:12

Hi everyone! MI Cloud and AAD integration with ADFS. users and groups are synced ok, and Mobileiron app settings should be fine. When logging in to eu1.mobileiron.com its redirects to ADSF like it should. After that error: AADSTS65005: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for ‘AAD Graph’ in the requested permissions in the client’s application registration.

msavolainen (mikko.savolainen@datainfo.fi)
2018-11-30 12:43:40

*Thread Reply:* This is resolved! we double check everything and there “www” missing in identifier (entity id) url

👍 Woody
msavolainen (mikko.savolainen@datainfo.fi)
2018-11-29 13:41:26

Any experiences about that?

msavolainen (mikko.savolainen@datainfo.fi)
2018-11-29 13:48:11

I’ve done a few of these before, but never seen this kind of error message🤔

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-11-29 13:57:09

Sounds on the surface like a misconfiguration of the MI “app” in the azure ad infrastructure. Does it have the right API access permissions in AAD > Apps blade?

👍 Mark Vonk
Jason Bayton (jason@bayton.org)
2018-11-29 22:02:55

Logged a case with MI today, I’ve got two cloud customers with Galaxy XCover 4's on 8.1.0 not enforcing passcode 🙄

Mark Vonk (mark.vonk@dahvo.com)
2018-11-30 06:32:48

Core or cloud?

Jason Bayton (jason@bayton.org)
2018-11-30 08:33:14

Cloud Mark. Bug reports show the config is set as a device policy but the devices just don't prompt to set it, Vs other devices on their estates.

Both legacy and advanced passcode also. Bizarre.

MI haven't responded to the ticket in a full day so far so no progress there.

Mark Vonk (mark.vonk@dahvo.com)
2018-11-30 08:57:31

Might be your issue? Policies do not apply on Cloud with R57 client

Jason Bayton (jason@bayton.org)
2018-11-30 09:01:22

This isn't it I believe - but that's certainly the bug we found with enrolment a couple weeks back

Mark Vonk (mark.vonk@dahvo.com)
2018-11-30 09:13:06

Same result with the Go 3.5 version released a couple of days ago?

Morten Lauritzen (morten.lauritzen@citrix.com)
2018-11-30 10:06:21

@Morten Lauritzen has joined the channel

RobE (robert.kreuzer@outlook.com)
2018-12-02 09:45:26

Received an interesting use case and I would like your input: Customer has like 10 different On-premise applications, which are accessed via one Sentry with iOS Safari (Tunnel). One Tunnel VPN config exists where all the On-premise FQDNs are defined and Safari triggers automatically. Now the customer wants permissions which user can access which backend application - like group a is allowed on backend a and group b is allowed on backend b. Of course different Tunnel VPN configs can be created for these user groups, but that that will not stop the user from triggering the Tunnel manually and enter the FQDN manually. Because a user from group a would also have the Tunnel app and the AppTunnel cert on the device and could therefore access backend b (If it is not possible to configure these permissions on the backend) I believe this is not possible without MobileIron Access - not even sure if it is possible at all with MobileIron Access. Any thoughts?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-02 09:48:36

*Thread Reply:* Agreed. You need an idp in there to govern this. Alternatively you link the AD group which grants access to the app, to the deployment of the tunnel. This means that once they have the rights to access to app, they also get the vpn.

No access, no vpn.

👍 RobE
RobE (robert.kreuzer@outlook.com)
2018-12-02 10:00:27

*Thread Reply:* Right, thanks Simon. I thought there could be a way to lets say create a tunnel config for backend a, trigger for backend a, but ignore everything for backend b. But that doesn’t seem to work. There will not be a user without Tunnel being deployed, because everyone is using it - only with different backends.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-02 10:04:50

*Thread Reply:* Though I wonder... I’m not sure how mobile iron sets up the tunnel... can this be setup with a certificate for authentication?

RobE (robert.kreuzer@outlook.com)
2018-12-02 10:05:33

*Thread Reply:* Yes every user has an identity certificate

NicolasR (raison_nicolas@me.com)
2018-12-02 23:21:59

*Thread Reply:* This is typical use case for an intelligent reverse proxy such as F5

NicolasR (raison_nicolas@me.com)
2018-12-02 23:22:10

*Thread Reply:* Sentry is not designed like this

Mark Vonk (mark.vonk@dahvo.com)
2018-12-02 11:47:57

How about making sure people only get access to the apps they are allowed to use? Even when they somehow download the apps themselves the Tunnel would not be triggered, not even when they enable the tunnel themselves. So, make sure users only have the apps they require.

Mark Vonk (mark.vonk@dahvo.com)
2018-12-02 11:49:20

If only Safari and webapps: indeed, create separate tunnel configs. Even when they manually enable it and type the url, the vpn will not be used as safari is not instructed to do so.

🙏 RobE
RobE (robert.kreuzer@outlook.com)
2018-12-02 12:02:25

*Thread Reply:* Yes, agreed. In my case it is only Safari. Ok, then I have to take a look into the Tunnel VPN test configuration for missing or wrong settings, because right now I only configure one backend but manually entering another backend also works.

Mark Vonk (mark.vonk@dahvo.com)
2018-12-02 12:22:06

*Thread Reply:* You have to restrict the safari domains so that only the allowed app / url is allowed. The rest will be send to the internet and not the tunnel. So, be more exclusive/restrictive.

👍 RobE
RobE (robert.kreuzer@outlook.com)
2018-12-02 15:22:15

*Thread Reply:* How exactly would you restrict the Safari domains within the VPN configuration? I don’t see how this can be achieved and the Tunnel guide is not much help either. Tried it like this:

RobE (robert.kreuzer@outlook.com)
2018-12-02 15:22:51

*Thread Reply:* Never connect for forbidden backends and connect if needed for allowed backends

RobE (robert.kreuzer@outlook.com)
2018-12-02 15:24:00

*Thread Reply:* The guide says for on demand rules: “VPN on-demand rules are applied when the device’s primary network interface changes, for example when the device switches to a different Wi-Fi network”..

Mark Vonk (mark.vonk@dahvo.com)
2018-12-03 12:46:51

*Thread Reply:* That screenshot does not apply to Safari domains, it only applies to the Per App vpn connections. Below that you would see a paragraph called Safari domains. Here you would enter the domains. Say the domain is domain.com and you would like to grant users access to appA.domain.com but no other hosts in that domain, then enter in the Safari domains appA.domain.com. If you enter, for example, domain.com, the vpn will be triggered and the user can access any host within the domain.com domain.

Mark Vonk (mark.vonk@dahvo.com)
2018-12-02 11:50:35

Last thing: this should effectively be handled at the application backend level. If a user is not authorized to use it on the application level, it does not matter if they can get there; they would not be authorized to use them anyway.

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-02 11:52:03

*Thread Reply:* Agreed.

This should be all controlled at the app access level. If you're not approved to use it, then you shouldn't be able to login even if you can get to the login screen.

Common sense

RobE (robert.kreuzer@outlook.com)
2018-12-02 11:57:37

*Thread Reply:* Totally agree with you guys! 👍:skintone2:

macbentosh (benbergthold@gmail.com)
2018-12-03 21:04:29

anyone know of a cli command that would export an .csv to an SFTP for inventory export?

Preetham Guram (spurtipreetham.g@gmail.com)
2018-12-03 21:28:19

*Thread Reply:* scp?

NicolasR (raison_nicolas@me.com)
2018-12-03 21:33:00

*Thread Reply:* You mean a way to automate device list export to an SFTP?

NicolasR (raison_nicolas@me.com)
2018-12-03 21:33:23

*Thread Reply:* I would say Assemble task + save to an SFTP drive

macbentosh (benbergthold@gmail.com)
2018-12-03 21:53:30

*Thread Reply:* hmm

macbentosh (benbergthold@gmail.com)
2018-12-03 21:53:35

*Thread Reply:* may need to setup assemble

Jason (jasonh@bridgeway.co.uk)
2018-12-04 03:41:28

*Thread Reply:* For completeness, this is also possible with IronWorks (https://ironworks.io/) but with the added disclaimer that this is our solution… 🙂

Jason Bayton (jason@bayton.org)
2018-12-04 12:07:34

Cloud R58 is rolling out, EU1 has it. COPE support for Android is there also, and it’s ever-so-slightly smoother than Core!

Jason Bayton (jason@bayton.org)
2018-12-04 18:03:50

@here MI Cloud R58 has pushed COPE for AE as a default config applied to the Android device group. I’ve replicated in three tenants (1 of those customer). Any work-managed deployment will default, by the looks, to COPE if the device is 8.0+.

For any AE customers, this needs to be unassigned from the Android group before they enrol any further devices.

🙏 RobE
Mark Vonk (mark.vonk@dahvo.com)
2018-12-04 18:17:24

Unassigned if they want BYOD to be default?

Jason Bayton (jason@bayton.org)
2018-12-04 18:18:32

Zero impact on Work profile deployments as it only affects work-managed. If they want COPE they can leave it as is, but I'd generally expect a bit of planning before turning it on!

🙏 RobE
Mark Vonk (mark.vonk@dahvo.com)
2018-12-04 18:22:51

Check gotcha

Jason Bayton (jason@bayton.org)
2018-12-04 19:44:53

No fix mentioned

Mirko Bülles (mbulles@mobileiron.com)
2018-12-05 11:03:19

@Mirko Bülles has joined the channel

👍 NicolasR, RobE, Almar Diehl, Captain Web
RobE (robert.kreuzer@outlook.com)
2018-12-06 18:03:37

Anyone familiar with this? https://community.mobileiron.com/docs/DOC-7604 Came across a Core 10.1.0.1 today where this is enabled. iOS users can‘t access Apps@Work via Weblicp, Certificate prompt and user prompt exactly like described in this KB article. Have not moved the port to 9443 yet, disabling cert based auth within the Apps@Work settings didn‘t help. I thought this would be fixed with 10.x? Has anyone come across this?

Alex Chappuis (alexandre.chappuis@nomasis.ch)
2018-12-07 13:12:29

Not seen this yet, as we're not using mutual auth for our customers yet.

👍 RobE
RobE (robert.kreuzer@outlook.com)
2018-12-07 19:49:28

Guys do you know if Wiko devices (Android - never heard of it before) are supported with an MobileIron Exchange config - it seems like there is no supported native client on these devices. https://de.wikomobile.com

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-07 20:15:53

*Thread Reply:*

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-07 20:17:41

*Thread Reply:* Sorry... Have to chuckle...

My wife is one of their in-house legal team... They're a French brand (2nd most popular brand after Samsung here in france) and their HQ is here in Marseille!!

They do support Android Enterprise with Gmail, can't speak as to mobileiron though but shouldn't see why there would be any issues.

👍 RobE, NicolasR, Mark Vonk
Jason Bayton (jason@bayton.org)
2018-12-07 20:24:09

*Thread Reply:* @Simon Hardy-Bistagne does she want to send a few samples my way for testing? 😁

😂 RobE
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-07 20:26:08

*Thread Reply:* Shouldn't see why not. I'll get her to drop their PR folks a request. Will drop you a PM

😁 Jason Bayton
RobE (robert.kreuzer@outlook.com)
2018-12-07 20:32:12

*Thread Reply:*

Kiran Patel (kiran@kiranpatel.net)
2018-12-08 17:22:14

Anyone have experience dealing with orphaned certs and deleting them from iOS devices? I recently retired my device and RE-enrolled it

Kiran Patel (kiran@kiranpatel.net)
2018-12-08 17:22:36

Apps@Work keeps giving me this. If I tap the bottom cert a ton of times it works but I can’t figure out how to delete the top cert

Kiran Patel (kiran@kiranpatel.net)
2018-12-08 17:22:44
Kiran Patel (kiran@kiranpatel.net)
2018-12-08 17:23:15

Pretty sure based off the # it’s the older one from my previous enrollment but it got orphaned on the device. I just can’t manually find it anywhere to delete it

Mark Vonk (mark.vonk@dahvo.com)
2018-12-08 18:08:01

You can’t delete them as you do not have access to the keystore. Issue seems to happen to random retired devices. Only thing you can do is a factory wipe.

Jason Bayton (jason@bayton.org)
2018-12-08 18:10:52

*Thread Reply:* Oof

Mark Vonk (mark.vonk@dahvo.com)
2018-12-08 18:15:12

*Thread Reply:* You could try and repush the Apps@work certificate profile as detailed here: https://community.mobileiron.com/docs/DOC-1957 But that never seemed to fix it at customers and was only resolved with a factory wipe.

👍 RobE, NicolasR
NicolasR (raison_nicolas@me.com)
2018-12-08 22:11:39

*Thread Reply:* Same for me...

Kiran Patel (kiran@kiranpatel.net)
2018-12-09 00:18:14

*Thread Reply:* Ouch that is not fun, I heard rumors the Cisco AnyConnect app was actually able to find and give users the ability to delete an orphaned cert. worked for me prior to iOS 12 but only recall using it twice

Clark (76clark@gmail.com)
2018-12-09 15:06:50

*Thread Reply:* It has been at least a year since I used it but here are the steps I used with Cisco AnyConnect

Clark (76clark@gmail.com)
2018-12-09 15:09:20

*Thread Reply:* 1. Download Anyconnect, 2. Select diagnostics at the bottom of the screen, 3. Select Certificates, 4. Select edit at the top right, 5. Select the red circle with the white dash for the cert you want to remove, 6. Confirm by deleting delete to the right of the cert, 7. Select Ok

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2018-12-09 22:09:08

*Thread Reply:* Thanks @dustinclark. Same steps I used to do... currently it’s not seeing the orphaned cert though.

RobE (robert.kreuzer@outlook.com)
2018-12-10 12:32:54

Duplicated UserIDs: 1 Core with 2 LDAP settings/connections for two different domains - the old domain and the new domain. But the UserIDs are equal across the domains. Not supported, right?

Almar Diehl (almar.diehl@blaud.com)
2018-12-10 12:44:22

Depends, if you need the 2 domains for user migration you can have 1 of the 2 accounts disabled and change to ldap search filter to not include disabled users. Other option is to change the UserID property in the LDAP configs to UserPrincipalName instead of samAccountName (if the UPNs are unique of course).

See: https://community.mobileiron.com/docs/DOC-1849

👍 RobE, Mark Vonk, Alex Chappuis
RobE (robert.kreuzer@outlook.com)
2018-12-10 12:46:42

gotcha.. Thanks! 🙏

MichaelM21 (mike.miller815@yahoo.com)
2018-12-10 12:56:22

@MichaelM21 has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2018-12-10 15:14:31

Also make sure not to use groups with names that exist in both domains. That will cause another set of headaches...

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2018-12-11 06:39:36

What is the benefit of using an Enterprise Connector for LDAP with Core? The documentation states that the LDAP servers are still configured like without the Connector by using either LDAP or LDAPs (Services/LDAP) - but I don’t have to open 636 or 389 because of the Connector which uses https, correct?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-11 07:51:17

*Thread Reply:* It’s so that you don’t have to expose your on-prem AD servers to the public internet.

MichaelM21 (mike.miller815@yahoo.com)
2018-12-11 08:10:55

*Thread Reply:* You mean in case of Cloud, right? We are using Core, so I don‘t have to publish my AD servers for LDAP requests - at least I would have to open the ports for the DMZ if Core sits only in the DMZ.

Gerben Camp (gcamp@mobileiron.com)
2018-12-11 08:34:58

*Thread Reply:* you would have to open up the LDAP port on the firewall between DMZ and your AD server. With a connector on the same side of the Firewall as where your AD is you don’t. the connector, opens a port 443 connection to the Core. the firewall sees this as an inside out connection. the LDAP traffic from the core to the AD server inside that 443 connection opened by the connector is considered return traffic. When configuring your LDAP servers you do not have to tell Core there is a connector. If core cannot reach the LDAP server directly it will check if there is a incomming connection from a connector and will try that one to connect to the LDAP server. you can even setup multiple connectors for redundancy

🙏 MichaelM21, NicolasR, Woody
MichaelM21 (mike.miller815@yahoo.com)
2018-12-11 10:59:35

*Thread Reply:* Thank you @Gerben Camp .

macbentosh (benbergthold@gmail.com)
2018-12-12 16:34:58

anyone know the best way to push conference room cals to an iphone?

tdang (thang@thangdang.com)
2018-12-12 17:50:16

@tdang has joined the channel

NicolasR (raison_nicolas@me.com)
2018-12-12 18:16:53

web clips should work with url scheme

👍 Woody
NicolasR (raison_nicolas@me.com)
2018-12-12 18:18:21

tel:555-666-777 as per documentation

NicolasR (raison_nicolas@me.com)
2018-12-12 18:20:07

works too

NicolasR (raison_nicolas@me.com)
2018-12-12 18:20:26

And you can put comma to pass through the conference room number

JP Guldfeldt (jpguldfeldt@hotmail.com)
2018-12-14 05:52:50

Anyone experience with Connector version 10.1.0.0? It seems that this version has a memory leak that causes Connector Service to reboot every 1-5 hours. We also have Connector with 9.x in another environment with the same setup and they are running stable. Unfortunately, not receiving much feedback from MobileIron. I did a clean installation because the Update didn’t work

JP Guldfeldt (jpguldfeldt@hotmail.com)
2018-12-18 08:09:38

*Thread Reply:* Update to 10.1.0.1 did NOT fix the problem. Still same errors; 2018-12-18 08:09:08,904 ERROR [systemWd] (ECSystemWatchdogThread.mainServiceLoop:80) - Some threads not healthy for service: ECServiceHealth:ldap, numThreads - Configured:4, Created:4, Running:3 Exception in thread "ldap2" java.lang.OutOfMemoryError: Java heap space

NicolasR (raison_nicolas@me.com)
2018-12-14 08:42:15

nop in our environments

Captain Web (tristan.valente@amaris.com)
2018-12-14 09:54:38

Re-installation is the only solution i’ve used for that, not enough time to troubleshoot this

JP Guldfeldt (jpguldfeldt@hotmail.com)
2018-12-14 09:59:09

But it was a clean install on both without import of configuration. installation following the MI instructions and with the same settings as before. And same problem on two connectors.

Captain Web (tristan.valente@amaris.com)
2018-12-14 10:48:59

I had this issue sometimes on earlier versions, but couldn’t test 10.1.0.0. I guess you’re stuck with that issue until MI solves it. Can you install an earlier version ?

JP Guldfeldt (jpguldfeldt@hotmail.com)
2018-12-14 12:21:05

Yes, did a rollback first time, but I have another issue with Integrated Sentry and O365, where MobileIron asked me to upgrade, so I am kind of stuck with version 10.x. But monday I will update to 10.1.0.1 and see if it gives any changes. I know that other customers have problems with 10.x concerning update from 9.x to 10.x where the update dont work (just comes up with 9.x after reboot).

Captain Web (tristan.valente@amaris.com)
2018-12-14 13:25:13

Alright, keep us posted then 🙂

macbentosh (benbergthold@gmail.com)
2018-12-14 23:24:49

anyone still here

macbentosh (benbergthold@gmail.com)
2018-12-14 23:24:57

that uses VMWare horizon

jaimin.s (jaimins@gmail.com)
2018-12-14 23:33:07

Hey Ben - we use horizon workbench for our dev VM's/escalated priv jump boxes. What's up?

macbentosh (benbergthold@gmail.com)
2018-12-14 23:33:31

well

macbentosh (benbergthold@gmail.com)
2018-12-14 23:33:44

trying to create a managed app config by decoding their air watch docs

macbentosh (benbergthold@gmail.com)
2018-12-14 23:33:45

https://docs.vmware.com/en/VMware-Horizon-Client-for-iOS/4.10/horizon-client-ios-installation/GUID-FA0D1218-E28F-4CB5-8126-33011483E54F.html

docs.vmware.com
macbentosh (benbergthold@gmail.com)
2018-12-14 23:33:55

however it looks like it is going to configure then stops

macbentosh (benbergthold@gmail.com)
2018-12-14 23:34:09

`<?xml version=“1.0” encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd“> <plist version=“1.0”> <dict> <key>servers</key> <string>vdi.mycmc.com</string> </dict> </plist> '

jaimin.s (jaimins@gmail.com)
2018-12-14 23:35:42

The value following "version" in the XML declaration must be a quoted string.

macbentosh (benbergthold@gmail.com)
2018-12-14 23:36:07
macbentosh (benbergthold@gmail.com)
2018-12-14 23:36:09

hows that look

jaimin.s (jaimins@gmail.com)
2018-12-14 23:37:59

That checks out. Are you able to get the app log by any chance?

macbentosh (benbergthold@gmail.com)
2018-12-14 23:43:34

thoughts?

macbentosh (benbergthold@gmail.com)
2018-12-14 23:43:43

that config.txt

macbentosh (benbergthold@gmail.com)
2018-12-14 23:47:39

Thing that sucks is we now have a whole dept down

macbentosh (benbergthold@gmail.com)
2018-12-17 16:30:59

hi all how can I restart just my port 443 instance of tomcat

Clark (76clark@gmail.com)
2018-12-17 16:39:03

@macbentosh service tomcat stop and then service tomcat start. Depending where you are at in the CLI you could instead do service tomcat restart

👍:skin_tone_3: Preetham Guram
macbentosh (benbergthold@gmail.com)
2018-12-17 16:41:06

our enrollment and appstore are not showing

AJ (ajorgensen@mobileiron.com)
2018-12-17 22:31:33

mifs in total or only the appstore?

macbentosh (benbergthold@gmail.com)
2018-12-17 23:02:26

restart of tomcat fixed it

👍 Woody
Captain Web (tristan.valente@amaris.com)
2018-12-18 17:30:07

Anyone ever had a problem where the MIFS will randomly crash every two weeks and MICS stays up ? There is nothing in the logs and a reboot is enough to make it run again, but I’ve never seen stuff like that. It’s a small server with 50 iPhones so not even that busy !

Mark Vonk (mark.vonk@dahvo.com)
2018-12-18 18:57:20

Core 10.0.** ?

Mark Vonk (mark.vonk@dahvo.com)
2018-12-18 18:59:13

If so, there is a known issue with Elastic Search crashing the Core: https://community.mobileiron.com/docs/DOC-8444

👍 Captain Web, MichaelM21
Clark (76clark@gmail.com)
2018-12-18 19:37:37

10.0.0.3 addressed this issue

Kiran Patel (kiran@kiranpatel.net)
2018-12-18 23:17:37

Always wait for the service pack, aka the x.1 release. JK!!!! Sort of 😜

NicolasR (raison_nicolas@me.com)
2018-12-19 08:59:04

Anyone integrated CISCO ISE API with CORE?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-19 08:59:59

*Thread Reply:* We’re about to do this with airwatch and intune...

Interested to hear your thoughts

NicolasR (raison_nicolas@me.com)
2018-12-19 09:00:41

*Thread Reply:* for now I'm testing the API calls

NicolasR (raison_nicolas@me.com)
2018-12-19 09:00:56

*Thread Reply:* we will certainly configure it in preproduction in january

Woody (eric.woodland@trust.tc)
2018-12-19 17:23:03

*Thread Reply:* We did it @ Kindred about two years with Core. Included some custom SAN values in the certificates for ISE to identify ownership of device to assign accordingly. Was a pretty clean setup. @Jonathan Henson and @japple can speak to how its been behaving over the long haul.

NicolasR (raison_nicolas@me.com)
2019-01-11 09:47:49

*Thread Reply:* FYI, the API call is case sensitive and this one works: /api/v2/ciscoise/devices?paging=0&querycriteria=macaddress&value=A85C2C317842&filter=all

👍 Woody
NicolasR (raison_nicolas@me.com)
2019-01-11 09:48:33

*Thread Reply:* le "C" of querycriteria is lower case

👍 Woody
NicolasR (raison_nicolas@me.com)
2018-12-19 08:59:30

I'm having issues to filter the API calls with the defined request params

NicolasR (raison_nicolas@me.com)
2018-12-19 08:59:44

https://{{server}}/api/v2/ciscoise/devices?paging=0&queryCriteria=macaddress&value=A85C2C317842&filter=all

NicolasR (raison_nicolas@me.com)
2018-12-19 08:59:48

returns all the devices

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 13:02:53

Assuming your are querying for the MAC address of the WiFi interface, does the wifiMacs parameter work instead of macaddress?

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 13:05:42

Scratch that, that is a v2 API only, not ciscoise.

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 13:23:14

Same issue for me. Tried it with Postman and tried to use udid, imei and macaddress. All return the complete list of active devices...

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 13:25:30

Cisco ise integration documentation was non-existent until I asked for it a couple of years ago. Seems like they have not updated it since... guess you will have to report a case

NicolasR (raison_nicolas@me.com)
2018-12-19 15:48:05

Already reported a case, I also noticed that with any filter

NicolasR (raison_nicolas@me.com)
2018-12-19 15:48:28

Thanks!

NicolasR (raison_nicolas@me.com)
2018-12-19 15:50:30

Case 00444102

fridomac (fridomac@googlemail.com)
2018-12-19 17:58:23

Hello! Just had a not so nice talk with our network admin, who showed me a report from his Firewall, which said that my core and the 2 sentries seem to have connected to known Command and Control-Servers for Malware… Has anybody seen something like this and what can I do? (Core is Version 10.1.0.1, Sentries are 9.3.0).

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-19 18:04:16

*Thread Reply:* Afraid I can't help with the remediation aside from investigation of the destination ip to ensure it really is a known CNC server and raise it with mobileiron.

Do you have the destination address of the CNC service it's connecting to?

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-19 18:05:03

*Thread Reply:* I wouldn't be surprised if this were a flash positive

👍 Woody
fridomac (fridomac@googlemail.com)
2018-12-19 18:23:35

*Thread Reply:* Thank you for the answers. I hope it is a false positive, too. Will try to open an issue with MobileIron and check with them.

fridomac (fridomac@googlemail.com)
2018-12-19 18:30:48

*Thread Reply:* In the report it looks like this:

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 18:34:40

*Thread Reply:* It looks like incoming and not outgoing connections, correct? Because the source IP are not the MobileIron servers (I assume these are the ones covered in red)

👍 Woody, fridomac
Almar Diehl (almar.diehl@blaud.com)
2018-12-19 18:35:47

*Thread Reply:* Are you sure the source IP addresses are in use by your MI servers? I see 4 addresses and you say there are 3 servers.....

Woody (eric.woodland@trust.tc)
2018-12-19 18:37:02

*Thread Reply:* Deployment Docs still state that the only outbound connection Sentrys should make by default (obviously changes if you have hosted email/etc): support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log

Woody (eric.woodland@trust.tc)
2018-12-19 18:38:13

*Thread Reply:* Agree with @Mark Vonk and @Almar Diehl - Those look like inbound requests from external hosts attempting to connect to the Sentrys on TCP 80

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-19 18:40:47

*Thread Reply:* Yeah... I'm even more sceptical now I see them...

From the ip's I see your sentey is being scanned on those ports by someone hosted on an Alibaba cloud service.

Looks unlikely that you've actually been compromised.

fridomac (fridomac@googlemail.com)
2018-12-19 18:44:02

*Thread Reply:* @Almar Diehl One IP was listed twice, that´s why there are 4 lines (there are pages full of these lines in the report)

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 18:45:26

*Thread Reply:* Anyway, port 80 (incoming, so from Internet to the Core and/or Sentry servers) should not be opened. Block by default. There is nothing running on port 80 anyway, so there is no harm. As Simon said: the 4 IPs are from China (Tencent Cloud Computing mainly). So nothing really happening, they are just trying to find a weakness. In all honesty, it would be surprising of your firewall did not detect such behaviour continuously....

👍 Woody
Almar Diehl (almar.diehl@blaud.com)
2018-12-19 18:45:50

*Thread Reply:* Yes, 4 different source IP addresses. As said by others this looks like an attempt to contact your MI servers from the internet on port 80.

fridomac (fridomac@googlemail.com)
2018-12-19 18:51:18

*Thread Reply:* The firewall (Cisco Firepower) was implemented just in the last few months, so we don´t have a feel yet for what is “normal” and what is not. Also, the firewall rules for the sentries were put in place when we first installed them 6 or 7 years ago, so it is possible that port 80 is open (might have been necessary then). Will check that and close 80. What I wonder is how it gets the idea that there were outbound connections to those servers when the report says they were inbound….

Almar Diehl (almar.diehl@blaud.com)
2018-12-19 18:53:09

*Thread Reply:* I think it is just your network admin that got that idea, not the firewall 😁

fridomac (fridomac@googlemail.com)
2018-12-19 18:59:24

*Thread Reply:* Might also be 🙂 But it is listed in the Malware report from the firewall as “Intrusion Event - Malware Backdoor”

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 19:00:10

*Thread Reply:* Port 80 has never been a requirement in the time I have been working with MobileIron. Neither for the Core or the Sentry. Despite that, it might be a good time to check the firewall rules for MI servers and update them. Some port are no longer needed or used (like 8080, 9998) which where needed 5 or more years ago.

👍 Woody
fridomac (fridomac@googlemail.com)
2018-12-19 19:05:18

*Thread Reply:* Yes, will check that with our firewall admin, now is a good time for a review of these rules (many of which are outdated, as you have guessed correctly)

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 19:05:43

*Thread Reply:* If the servers are infected with Webshell malware, the malware might be opening port 80 to allow for remote administration of the server. See: https://www.us-cert.gov/ncas/alerts/TA15-314A The message from your firewall and engineer are not really clear. Better have them check and see what's really going on (ie. what is actually seen from a dataflow perspective)

us-cert.gov
fridomac (fridomac@googlemail.com)
2018-12-19 19:07:19

*Thread Reply:* Just tried a portscan against the three servers, port 80 is open on all three…:-(

fridomac (fridomac@googlemail.com)
2018-12-19 19:07:45

*Thread Reply:* Should that be the case?

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 19:08:00

*Thread Reply:* Nope...

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 19:08:30

*Thread Reply:* Have you network admin block port 80 to all MI servers

fridomac (fridomac@googlemail.com)
2018-12-19 19:08:41

*Thread Reply:* Yes, will do that.

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 19:12:41

*Thread Reply:* That would be step 1. Step 2 would be to determine if your servers are infected. It could have previously been infected; the malware abuses common ASP, JSP and PHP code execution. So they could have used that on the Core/Sentry using JSP (MI uses JSP on Tomcat) to infect the servers with the malware. Best thing to do would be to involve either MobileIron support or some security expert with Linux knowledge and have them assess if they are infected.

👍:skin_tone_2: Simon Hardy-Bistagne, fridomac
Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-19 19:15:21

*Thread Reply:* Agree with Mark. As the ports are open, it's better to close off those ports immediately and monitor your server activity out to the web.

Also get mobileiron involved to check it out

fridomac (fridomac@googlemail.com)
2018-12-19 19:16:04

*Thread Reply:* Will open a call with MobileIron Support and have them take a look, Thank you for your replies!

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 19:19:17

*Thread Reply:* Try and see if your firewall admin can save the logs (hopefully, the full HTTP requests are logged). That would make it easier to find out if the servers are infected. Once the malware is installed, the people will try to access the servers using port 80 and leave files behind that do not belong to MobileIron. With the HTTP requests in detail, it would be easier to find the files. It did not look like something serious, and hopefully its not. But it might be more serious than I made it look like before. Good luck !

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 19:20:44

*Thread Reply:* And let us know the outcome please.

Mark Vonk (mark.vonk@dahvo.com)
2018-12-19 19:21:53

*Thread Reply:* PS. also make sure to configure and use the ACLs (portals, API, etc.) on the Core (System Portal) if you haven't done that already.

fridomac (fridomac@googlemail.com)
2018-12-19 19:30:56

*Thread Reply:* on the core CLI (tcp), I see lots of connections on port 80 (SYN_RECEIVED) to an address in California (23.234.39.87)

fridomac (fridomac@googlemail.com)
2018-12-19 19:31:12

*Thread Reply:* will check the other recommendations and will report back tomorrow night….

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-19 19:42:19

*Thread Reply:* A brief search says that ip belongs to a Chinese owned, us based hosting company who target mostly Chinese customers who need hosting in the US.

fridomac (fridomac@googlemail.com)
2018-12-19 19:49:01

*Thread Reply:* That’s what I could find out, too. Thank you!

fridomac (fridomac@googlemail.com)
2018-12-20 13:34:21

*Thread Reply:* OK, just heard back from Support, there is no nefarious things on the Core and Sentries, and we closed Port 80.

Mark Vonk (mark.vonk@dahvo.com)
2018-12-20 13:35:49

*Thread Reply:* @fridomac 👍

fridomac (fridomac@googlemail.com)
2018-12-20 13:49:59

*Thread Reply:* Thanks again for the help!

Simon Hardy-Bistagne (simon@smnhdy.com)
2018-12-20 13:59:21

*Thread Reply:* Great to hear!

I think it's a good warning to all of us to make sure that we have a regular review of open ports. Especially if we have had our servers in place for a while.

MichaelM21 (mike.miller815@yahoo.com)
2018-12-20 17:42:15

Anyone using device spaces to separate different branches/locations? I am curious which permissions you give your device space admins, any best practices suggestions and how do you deal with the limitations on Core regarding no lockdown policies or Email+ configs unique for device spaces.

NicolasR (raison_nicolas@me.com)
2018-12-20 20:13:41

Mainly using Spaces for local IT admins for basic admin tasks or troubleshooting

MichaelM21 (mike.miller815@yahoo.com)
2018-12-20 21:32:02

Any ideas why sometimes the APNS and AppCommunity services shows failed on Core? (UnknownHostException), and most of the time it shows success?

NicolasR (raison_nicolas@me.com)
2018-12-20 23:01:36

*Thread Reply:* How many DNS servers did you configured and are these ones internal or external?

MichaelM21 (mike.miller815@yahoo.com)
2018-12-21 07:19:37

*Thread Reply:* Two internal DNS servers

NicolasR (raison_nicolas@me.com)
2018-12-21 10:12:44

*Thread Reply:* you should look if they are always able to resolve internet names. I've not seen such issues an "UnknownHostException" is due to DNS resolution

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2018-12-21 11:00:44

*Thread Reply:* Thanks I will.. makes sense

Tobias (tobias.gruenewald@ebf.com)
2018-12-21 09:57:45

Does anyone have any insight as to what happened to the MI Insight app? It seems to be removed from both AppStore and Google Play without any announcement, probably due to incompatibilities with latest Core releases.

Woody (eric.woodland@trust.tc)
2018-12-21 15:43:07

*Thread Reply:* Darn! That was a fairly useful tool for basic remote administration

RobE (robert.kreuzer@outlook.com)
2018-12-23 09:03:03

*Thread Reply:* #MobileIronTeam, any insight?😊

Andrew Olpin (andy@olpin.us)
2018-12-27 19:25:35

*Thread Reply:* I believe that they stopped development on it a while back. I left mi about 8 months ago, so my info may be out of date, but that was the status when I left.

MichaelM21 (mike.miller815@yahoo.com)
2018-12-21 13:48:59

How do you guys handle monitoring and alerts with MobileIron? SNMP with Nagios, is there a document which checks can be used? Also Event settings / system alerts for admins: are you using a dedicated alert address or just the known admins directly? Thought I would create local admin account with a email address which is a distribution list for all the admins or ticket system, any good?

MichaelM21 (mike.miller815@yahoo.com)
2018-12-21 14:58:02

Found this, but the links is not working anymore

NicolasR (raison_nicolas@me.com)
2018-12-22 09:43:07

https://community.mobileiron.com/docs/DOC-1843

And/Or MobileIron Monitor (which lack of some features for now but very useful for deep insight on Core performance)

GitHub
🙏 MichaelM21, Woody, Mark Vonk
RobE (robert.kreuzer@outlook.com)
2018-12-26 09:48:49

In the privacy policy you can set if SMS or Call logs are enabled. If enabled, are these logs part of the Core Showtech?

Jason Bayton (jason@bayton.org)
2018-12-26 09:49:14

*Thread Reply:* I don't believe so no.

RobE (robert.kreuzer@outlook.com)
2018-12-26 10:26:41

*Thread Reply:* ok, and do you know where to find these logs and how to gather them?

Mark Vonk (mark.vonk@dahvo.com)
2018-12-27 08:14:19

*Thread Reply:* This is legacy. It was only for Samsung KNOX API devices (old APIs known as SAFE). You will need to create a SMS and Phone call log system (email, syslog, splunk, etc). Check the Android management guide for your Core version

👍 Jonas Hofer
Jason Bayton (jason@bayton.org)
2018-12-27 08:54:11

*Thread Reply:* Mark are they deprecated in Knox now? Presumably when core supports the unified APIs this will work with Samsung in AE also?

Mark Vonk (mark.vonk@dahvo.com)
2018-12-27 10:21:36

*Thread Reply:* Not sure, as these are not KNOX APIs but former SAFE APIs. Not sure if these will continue to work (without Device Admin) with KNOX 3.0 or higher.

👍 Jason Bayton
RobE (robert.kreuzer@outlook.com)
2018-12-27 12:06:42

*Thread Reply:* yikes, this is pretty interesting news! Thanks @Mark Vonk 🙏

Anton I (antonn94@gmail.com)
2019-01-03 08:49:06

@Anton I has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-01-04 09:28:46

Anyone else having issues with failing APNS services running Core 10.2? 10.1.0.0 showed success - after the upgrade to 10.2 the service fails. Ciphers are default.

Mark Vonk (mark.vonk@dahvo.com)
2019-01-04 09:36:13

No issue here with 10.2. Maybe apply the defaults again and reboot the server. That has fixed it in the past

👍 Fabian
Hitesh Ambulkar (hambu001@fiu.edu)
2019-01-08 19:33:53

@Hitesh Ambulkar has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-01-09 11:06:21

Any ideas why after stage for install reboot Core doesn’t apply the upgrade? 10.0.0.3 was downloaded successfully, but Core is still 9.7.0.2 after the reboot.

Almar Diehl (almar.diehl@blaud.com)
2019-01-09 12:22:00

Had the same on our server, would never upgrade when performing the stage for install/reboot from the System Management portal. Performing a Software Update and Reload on the CLI solved my issue.

👍 Woody, MichaelM21
Woody (eric.woodland@trust.tc)
2019-01-09 12:33:13

Ah, @Almar Diehl guess there’s some broken linkage in the UI. Good to hear initiating via the CLI worked!

MichaelM21 (mike.miller815@yahoo.com)
2019-01-09 13:38:06

Looks like it is not enough space within / 14G available, but 15G recommended

Mark Vonk (mark.vonk@dahvo.com)
2019-01-09 15:47:05

*Thread Reply:* Yes, this is a known issue. It does not warn you, even not during the Verify stage. There is a document on the communities site on how to enlarge your partitions.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-09 20:02:20

*Thread Reply:* Thank you Mark. Yes I have seen that document and I gotta say this is pretty rough and tough.

Mark Vonk (mark.vonk@dahvo.com)
2019-01-09 20:04:50

*Thread Reply:* Yeah, take your time and make sure you have backups and snapshots. If you don’t want to take the risk: set up a new Core, same version, with enough disk space and perform a backup of the old and restore it to the new server after shutting down the old one. That way you always have a fallback scenario.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-09 21:25:56

*Thread Reply:* Thanks, very good idea 💡

Woody (eric.woodland@trust.tc)
2019-01-09 13:54:00

@MichaelM21 Support should be able to help you clean that up.

👍 MichaelM21
Woody (eric.woodland@trust.tc)
2019-01-09 15:30:03

@here Curious - Do we have any folks here using Okta with MobileIron for SSO?

Mirko Bülles (mbulles@mobileiron.com)
2019-01-09 15:31:32

Hey Eric, I know Fredric from PS has some customers who does.

Woody (eric.woodland@trust.tc)
2019-01-09 15:32:33

If yes, two questions:

1) Would you find value in utilizing Okta’s Universal Directory via an LDAPS Interface (eliminating need for Connectors)?

2) Would you find value in Okta lifecycle management (aka provisioning/de-provisioning) (via SCIM) into Core and/or Cloud?

Mirko Bülles (mbulles@mobileiron.com)
2019-01-09 15:32:38

Also together with AaaS as where OKTA acts ad IDP

Woody (eric.woodland@trust.tc)
2019-01-09 15:33:24

@Mirko Bülles Nice! I thought we had Fredric on here.. I may send him a personalized invite 🙂

Woody (eric.woodland@trust.tc)
2019-01-09 15:34:45

@Mirko Bülles Okta can Del Auth to Access, both running on Sentry and AssS. Is that what you were getting at?

Mirko Bülles (mbulles@mobileiron.com)
2019-01-09 15:37:31

OKTA can be used as IDP with AaaS, I have not used it that way, only with ADFS, but Fredrik does. So best it to ping him. But the only time I would use this if the customer does not wants auth traffic to flow through Sentry. Otherwise I would always stick with Access, instead of Access with DelDP as you lose some features.

Adam Matthews (adam@adammatthews.co.uk)
2019-01-09 22:26:49

@Adam Matthews has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2019-01-10 00:59:57

Woody #2 would be useful for us if it also let us decide how to retire in core / cloud.

Kiran Patel (kiran@kiranpatel.net)
2019-01-10 01:00:32

For example we may want to apply a label if Corp owned train straight retire if certain conditions apply

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2019-01-10 01:00:48

We currently use Access with ADFS

Woody (eric.woodland@trust.tc)
2019-01-10 02:23:24

Nice feedback @Kiran Patel! Will add to my notes 😁

MichaelM21 (mike.miller815@yahoo.com)
2019-01-11 06:23:44

Does anyone know on the fly how far back the audit logs remain on Core?

NicolasR (raison_nicolas@me.com)
2019-01-11 09:02:48

The setting is configurable through System manager portal. I think by default it's 3 months

👍 MichaelM21
Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-01-14 08:16:38

@Marc van der Kooy has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-01-14 15:51:24

Is there a negative impact when location based checkin is disabled within the Privacy policy?

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-14 15:53:03

Time intervals between automated check-in and device compliance checks will be increased.

Apart from that I don't believe there is much else.

👍 Woody, MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-01-14 17:09:35

What is the actual purpose of that feature?

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-14 17:12:57

To use the change in your location to trigger the said checks rather than relying on the timed automatic checks.

It means more regular checks while you're using the device rather than relying on fixed times when the app checks.

This means that the time between becoming non compliant and the app detecting it is shortened.

✅ Woody, MichaelM21, Mark Vonk
🙏 MichaelM21
dherder (dherder@gmail.com)
2019-01-15 15:43:20

@dherder has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-01-16 06:37:04

Short Email+ feature question: 1) is there a search option within the Email+ calendar? 2) is there a calendar week view within the Email+ calendar? I am guessing feature request!

Almar Diehl (almar.diehl@blaud.com)
2019-01-16 06:54:39

Email+ on Android: search No, week view Yes

MichaelM21 (mike.miller815@yahoo.com)
2019-01-16 07:38:18

Thanks for the feedback. On Android enterprise Email+ I cannot find anything about calendar weeks. Are you referring to AppConnect?

Almar Diehl (almar.diehl@blaud.com)
2019-01-16 09:42:39

No, I am using the AE version, see the screenshot.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-16 10:59:54

*Thread Reply:* I don’t see the calendar weeks in your screenshot either!

MichaelM21 (mike.miller815@yahoo.com)
2019-01-16 11:02:54

*Thread Reply:* Here you can see the calendar weeks on the left hand side..

Almar Diehl (almar.diehl@blaud.com)
2019-01-17 13:45:32

*Thread Reply:* Ah, now I see what you mean by ‘Calendar weeks’. No, this is (still) not available.

Almar Diehl (almar.diehl@blaud.com)
2019-01-17 14:13:39

*Thread Reply:* But what I see in your screenshot is in email+ the month view. In my screenshot you see the month view in Email+ 3.0 (beta), that also includes the weeknumbers!

Nicola (nicola.aloise@nomasis.ch)
2019-01-16 10:06:24

@Almar Diehl Feature Request (ID # 42014) regarding "search box" open since 29.03.2017...

👍 MichaelM21, Woody
Almar Diehl (almar.diehl@blaud.com)
2019-01-16 10:19:58

@Nicola Good news, calendar search will be available in Email+ 3.0, currently in beta.

👍 MichaelM21, Woody, Nicola
Jason Bayton (jason@bayton.org)
2019-01-16 12:46:15

Has anyone seen Screentime get restricted with mobileiron cloud? If so, do you happen to know the restriction that causes it?

Daniël Kraaijeveld (daniel.kraaijeveld@twentynice.com)
2019-01-16 12:58:30

Found this in Apple’s documentation, so that correlates to “Allow user to enable restrictions in Settings UI” in the iOS restrictions policy on MI Cloud.

👍 Mark Vonk, Woody
Jason Bayton (jason@bayton.org)
2019-01-16 12:59:17

amazing find, thank you @Daniël Kraaijeveld

macbentosh (benbergthold@gmail.com)
2019-01-16 17:19:24

anyone configuring work space with a managed app config

MichaelM21 (mike.miller815@yahoo.com)
2019-01-16 18:07:00

Do you mean device spaces or Work Space as in Android enterprise work space?

👍 Woody
🤔 Mark Vonk
James (murrayj@vmware.com)
2019-01-16 19:04:49

@James has joined the channel

Martijn Schraven (martijn.schraven@centralpoint.nl)
2019-01-16 20:11:19

@Martijn Schraven has joined the channel

macbentosh (benbergthold@gmail.com)
2019-01-16 22:24:57

the store url to workspace for ios @MichaelM21

Denmaru (florian.lampel@cancom.at)
2019-01-17 12:35:14

Has anyone in here had to use Threat Defense with MI Core 10.1?

Kiran Patel (kiran@kiranpatel.net)
2019-01-19 13:14:32

*Thread Reply:* I wouldn’t say we had to but we are testing it right now for a few users in Prod

Jngo (jeff.n87@gmail.com)
2019-01-17 15:20:06

@Jngo has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2019-01-17 18:19:44

@Jack Madden has joined the channel

Jack Madden (jackalexandermadden@gmail.com)
2019-01-17 18:20:29

MobileIron issued a press release about their new SVP of product management. Anybody read any significance into this? Or just business as usual? https://www.businesswire.com/news/home/20190116005042/en/MobileIron-Appoints-Brian-Foster-SVP-Product-Management

businesswire.com
Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-17 18:25:51

They also announced a new CMO too at the same time.

Both have backgrounds in Symantec and McAfee so I think there is a pattern here... It looks like there trying to get some more experience when it comes to larger security vendors up at the higher levels.

Woody (eric.woodland@trust.tc)
2019-01-17 18:47:25

I figured they had to back-fill John Morgan’s role and Brian happened to be free. Business as usual as far as I’m concerned

NicolasR (raison_nicolas@me.com)
2019-01-17 22:12:45

Brian have experience at McAfee and also a company called Neustar which works with identity protection.... Just to say 🙂

Woody (eric.woodland@trust.tc)
2019-01-18 01:40:30

Ah, good ole Neustar. They had some cool offerings back in the day. Guessing they’ve innovated since then and are still relevant

MichaelM21 (mike.miller815@yahoo.com)
2019-01-18 07:49:43

Does anybody know If Zebra (Android 7) devices can be enrolled as Android enterprise with Core or is there a certain difference?

NicolasR (raison_nicolas@me.com)
2019-01-18 07:51:09

Zebra Android 7 are as far as I know GMS enabled so: yes

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-18 07:57:25

Yes but be careful. Most of the zebra devices come in 2 flavours, one with GMS and one without.

Make sure you have the right ones ordered.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-18 08:06:34

Ah got it. Is there a way to find out in the device details if Play Services are available on the device?

NicolasR (raison_nicolas@me.com)
2019-01-18 08:22:52

If the play store (or any other Google's app) is installed then you have GMS

👍 MichaelM21, Simon Hardy-Bistagne, Woody
Phil Hackett (phil.hackett83@gmail.com)
2019-01-18 11:22:38

Yes, we’ve got quite a few Zebra TC51 / TC20’s which are registered with Core as Work-managed / COSU devices. They are running Android 7 (GMS enabled).

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-01-18 14:08:43

Thanks for your feedback. Found out that the customer bought Zebras without GMS, so no Android enterprise, only DA. Therefore they have installed M@W manually via APK. After the devices have been enrolled, can new version of M@W been pushed/managed via Core? I guess so.

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-18 14:16:56

As long as they don't upgrade past Android 9 in the future you should be fine. Just remember the normal limitations of managing non GMS devices.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-18 14:18:30

Right, I have already mentioned the DA deprecation. What normal limitations are you referring to?

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-18 14:27:20

Normally just a delay in processing commands... I'm not sure if MobileIron has it's own alternative to google push notification services like AirWatch does or if you issue wipe commands or password resets there might be a delay until the device sync's

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-01-19 13:14:17

Core Security Policy - whats is the reason for using „out-of-policy for X number of days“ and „out-of-contact for X number of days“ together? Since „out-of-policy“ is a much shorter value, this will always hit first. Because how can the device be out of contact but still receive policy changes? I don‘t grasp the sense behind this.

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-19 13:18:09

For us it would be so that you can apply different actions based on the status.

For example. a device out of policy due to a blacklisted app we would remove mail profile right away, but if the bad app isn’t removed after 10 days we’d remote wipe the device.

For out of contact after 30 days we would assume the device is no longer is use and simply send a straight wipe command and delete the device record.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-19 13:47:32

Very interesting, thanks Simon! 🙏 ah now I get it, out of policy doesn’t literally mean when a policy is out of date! 😂 It means when the device is out of policy like you described with an app control rule violation for example! Stupid me 😂 ..how do you automatically delete the device after like 30 days? Custom compliance action?

Mark Vonk (mark.vonk@dahvo.com)
2019-01-19 15:32:31

No, that is not correct: out of policy for X number of days means that when the device does not have a policy applied successfully in X days. So for whatever reason the policy is not applied onto the device. Could be due to the fact the device is not communicating with the Core, but could also be because the policy fails the be applied successfully.

Mark Vonk (mark.vonk@dahvo.com)
2019-01-19 15:48:07

I was referring to this: “It means when the device is out of policy like you described with an app control rule violation for example!” From @MichaelM21 . This is not correct. This rule has nothing to do with being out-of-compliance

👍:skin_tone_2: Simon Hardy-Bistagne, MichaelM21, Daniël Kraaijeveld
Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-19 15:48:38

Ah ok 🙂

MichaelM21 (mike.miller815@yahoo.com)
2019-01-19 17:27:03

Ok thanks Mark! 😊

MichaelM21 (mike.miller815@yahoo.com)
2019-01-20 13:01:53

Are you guys working with Events on Core? I have created a System Event, but somehow the Admins don‘t receive any emails. Notification is set for Emails to Admins. I have picked the admins which have registered devices on Core. I have not selected a Label since it is not applicable for users. Any idea what is missing?

Kiran Patel (kiran@kiranpatel.net)
2019-01-21 00:48:40

Not 100% sure as it’s been a while but I recall that the alert may also need to be sent to at least 1 admins device?

NicolasR (raison_nicolas@me.com)
2019-01-21 09:42:57

Not anymore @Kiran Patel @MichaelM21 is core able to send email via SMTP?

MichaelM21 (mike.miller815@yahoo.com)
2019-01-21 14:34:08

Yes is configured and the invite mails from Core are being delivered

Almar Diehl (almar.diehl@blaud.com)
2019-01-21 14:40:43

@MichaelM21 Check Logs --> Events. Do you see the events there, with the correct recipient list?

MichaelM21 (mike.miller815@yahoo.com)
2019-01-21 15:06:49

Yes I can see the events with the correct admins.

mahiroux (mhyb.mk@gmail.com)
2019-01-21 16:03:09

Anyone facing issues adding SharePoint site on AE Docs@Work 2.6 with Sentry 9.5?

MichaelM21 (mike.miller815@yahoo.com)
2019-01-22 16:23:28

Quick one: why is the Registration PIN not in the SMS? (Core)

Almar Diehl (almar.diehl@blaud.com)
2019-01-22 16:59:47

*Thread Reply:* Because if someone makes a typo in the mobile number to use it would send the registration pin to the wrong person, giving this person the opportunity to register a device.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-22 17:02:24

*Thread Reply:* Makes total sense! Thanks Almar 👍:skintone2:🙏

Al (al.mackay@astrazeneca.com)
2019-01-23 11:07:48

@Al has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-01-24 20:20:27

Anyone else having issues with Polaris failing the license activation with Docs@Work? Firewall issue?

Woody (eric.woodland@trust.tc)
2019-01-24 20:23:00

@MichaelM21 it is usually related to blocking of networks/ports on outbound connections

👍 MichaelM21
Woody (eric.woodland@trust.tc)
2019-01-24 20:23:55

Does the activation with Polaris succeed on a open WiFi/Cellular connection?

MichaelM21 (mike.miller815@yahoo.com)
2019-01-24 20:25:16

Thanks @Woody , gotta try it.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-24 20:25:31

Found this:

Mark Vonk (mark.vonk@dahvo.com)
2019-01-24 20:30:28

In the AppTunnel rules applied to Docs@Work, do not tunnel everything ( . ) but only your internal domain (**.domain.intra). That way, the app can contact Polaris servers without going through the AppTunnel Sentry.

👍 Woody, MichaelM21
Mark Vonk (mark.vonk@dahvo.com)
2019-01-24 20:31:52

It’s impossible to use the ** sign between brackets in Slack apparently

Mark Vonk (mark.vonk@dahvo.com)
2019-01-24 20:33:01

But what I mean is: do not use the ** sign for the AppTunnel rule, use more specific rules that exclude external service domains

MichaelM21 (mike.miller815@yahoo.com)
2019-01-24 20:35:30

Good hint, thanks @Mark Vonk 🙏..on iOS D@W I used server.internaldomain.com, but on AE D@W I am not sure, there could be a **.internaldomain.com, but not the wildcard alone.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-24 20:42:11

What happened to MobileIron Rooms? 😳 can conference rooms now be booked/added via Email+?

Woody (eric.woodland@trust.tc)
2019-01-24 20:42:31

MobileIron Rooms, now that one goes back a couple years

😁 MichaelM21, NicolasR
MichaelM21 (mike.miller815@yahoo.com)
2019-01-25 06:58:41

What happens when a user certificate from a PKI will expire which is used for Exchange - will Core Auto-Renew the certificate or is this a manual process via Admin Portal?

Almar Diehl (almar.diehl@blaud.com)
2019-01-25 07:39:58

Core will auto-renew the certificate.

👍 MichaelM21
NicolasR (raison_nicolas@me.com)
2019-01-25 08:46:16

60 days before expiration CORE renew the cert automatically

👍 MichaelM21, Woody
Tinus (freewheelzgroningen@gmail.com)
2019-01-25 10:57:33

Hi there guys, Anybody ever tried to get the license/bundle data from a MI Cloud tenant using API calls? I’m not sure if this is even possible, since I can’t seem to find anything about this in the API document for Cloud. Tips are welcome if there are any at all.

Woody (eric.woodland@trust.tc)
2019-01-25 14:10:49

Hmm @Tinus that’s a good question. I can’t say I’ve seen that option, but @Russell Mohr may be able to find out.

macbentosh (benbergthold@gmail.com)
2019-01-25 17:39:31

trying to update android clients to the new docs @ work and keep getting there was a problem connecting to the server when downloading

Woody (eric.woodland@trust.tc)
2019-01-25 17:51:42

Coming from the Google Play store, right @macbentosh?

macbentosh (benbergthold@gmail.com)
2019-01-25 17:52:04

no APK downloaded from support.mobileiron.com

macbentosh (benbergthold@gmail.com)
2019-01-25 17:55:17

where is @Jason

macbentosh (benbergthold@gmail.com)
2019-01-25 17:55:20

lol

Russell Mohr (rmohr@mobileiron.com)
2019-01-25 18:56:44

@Tinus no special licensing necessary to invoke API calls

Russell Mohr (rmohr@mobileiron.com)
2019-01-25 18:56:56

unless you are setting a feature that you don’t have a license for…

Russell Mohr (rmohr@mobileiron.com)
2019-01-25 18:58:59

Ah sorry @Tinus

Russell Mohr (rmohr@mobileiron.com)
2019-01-25 18:59:02

misunderstood

Jason (jasonh@bridgeway.co.uk)
2019-01-25 18:59:02

Actually, this is an area that I can help with.

Jason (jasonh@bridgeway.co.uk)
2019-01-25 18:59:08

Thanks, @macbentosh!

Jason (jasonh@bridgeway.co.uk)
2019-01-25 19:00:28

@Tinus The APIs are different for the on-prem Core than for the Cloud version. There is a body of work planned to bring these into feature parity later this year, as part of the extensions to the CPS APIs (currently only in Cloud, and limited in functionality as well)

Jason (jasonh@bridgeway.co.uk)
2019-01-25 19:01:35

Our own IronWorks solution (for management reporting on MobileIron deployments) is currently limited to on-prem Cores and Connected Cloud integration for this very same reason.

Jason (jasonh@bridgeway.co.uk)
2019-01-25 19:01:56

We are looking forward to the new APIs, but they’re not fully there yet.

Jason (jasonh@bridgeway.co.uk)
2019-01-25 19:02:57

So, specifically to your question, feature bundle information is possible with API calls to the on-prem/Connected Cloud Core server, but there is no published equivalent for Cloud.

Jason (jasonh@bridgeway.co.uk)
2019-01-25 19:03:27

(We use this feature for our IronWorks licence calculator report)

Jason (jasonh@bridgeway.co.uk)
2019-01-25 19:03:50

Hope this helps

Russell Mohr (rmohr@mobileiron.com)
2019-01-25 19:06:20

@Tinus You can view in the GUI by clicking on Account info

Russell Mohr (rmohr@mobileiron.com)
2019-01-25 19:06:36
Russell Mohr (rmohr@mobileiron.com)
2019-01-25 19:06:47

you might be able to scrape something..

Russell Mohr (rmohr@mobileiron.com)
2019-01-25 19:07:16

From the screen that is displayed next

MichaelM21 (mike.miller815@yahoo.com)
2019-01-26 07:07:25

I am interested in Use Cases for Compliance Policy Rules and Tiered Compliance - what are you guys using it for? Examples please 💪🙏

Jason Bayton (jason@bayton.org)
2019-01-26 08:18:31

*Thread Reply:* Policy out of date, device not checked in, compromised, passcode not set... Likely more but can't think offhand

👍 MichaelM21
Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-26 08:32:17

*Thread Reply:* I'm not sure if these map into MI, but for I have used the following regularly.

Compromised: Enterprise wipe Device last seen: Enterprise wipe after X days Encryption: Notification + Block profile > Enterprise wipe Roaming: notification email to TEM provider OS Version: Notification with update instruction > block profiles Passcode: Notification + block profiles > enterprise wipe Personal macOS: Block + Notify

We also have various compliance policies around lookout where unless the app is installed and active then the user is blocked from most profiles and notifications get sent, along with various actions based on threats detected by the MTD.

MichaelM21 (mike.miller815@yahoo.com)
2019-01-26 08:32:58

*Thread Reply:* Right, thanks Jason. Policy out of hand, device not connected to Core could also be used in a Security policy. But due to Tiered Compliance you prefer Compliance policies, right?

Jason Bayton (jason@bayton.org)
2019-01-26 08:51:35

*Thread Reply:* Can't say I much use them.

:the_horns: MichaelM21
Jason (jasonh@bridgeway.co.uk)
2019-01-26 09:16:35

We use them for delivering longer-term trend analysis and compliance/management reporting (with e.g. ISO27k and GDPR reports baked in), operational dashboards, licence optimisation (and hence cost-saving) calculations, and many other features. Typically we’re saving IronWorks customers 14-34% in MobileIron licensing costs, but that number is climbing rapidly as customers roll out our new bundle calculator feature.

😳 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-01-27 07:38:53

Does anyone know a way to retire (not wipe like with the security policy) devices if failed passcode attempts reach a certain number?

NicolasR (raison_nicolas@me.com)
2019-01-27 08:47:42

*Thread Reply:* iOS: not possible Android: only Work profile devices act like this

👍 MichaelM21, Jason Bayton
MichaelM21 (mike.miller815@yahoo.com)
2019-01-27 17:51:26

*Thread Reply:* Probably a way with Assemble

NicolasR (raison_nicolas@me.com)
2019-01-27 18:12:30

*Thread Reply:* Nop, the number of failed attempts is not reported on Core, therefore assemble can’t use it

Tinus (freewheelzgroningen@gmail.com)
2019-01-27 15:27:39

@Russell Mohr @Jason Thanks Russell, Jason, but I would like to incorporate this info in our system monitoring tool that we are using for reporting on all sort of systems. The current option indeed is to login on all of the customer tenants now and then, but I am looking for a way too automate that. Would be nice if in the future there would be a way to get this info thru API’s.

Ankit Gupta (ankit@shoonya.io)
2019-01-28 04:33:27

@Ankit Gupta has joined the channel

Martijn Rijerse (martijn.rijerse@dahvo.com)
2019-01-30 12:29:17

@Martijn Rijerse has joined the channel

NicolasR (raison_nicolas@me.com)
2019-01-30 16:15:29

Tip of the day: To be able to properly use MI CLOUD console with password managers you can put the username as parameter to the request like this: https://eu1.mobileiron.com/login.html?&uid=nicolas@miacme.com

👍 Woody, Jason, Almar Diehl, Jason Bayton, Kiran Patel, Captain Web
Jason Bayton (jason@bayton.org)
2019-01-30 16:18:41

Oh thank you so much. Doing my head in!

macbentosh (benbergthold@gmail.com)
2019-01-30 16:50:06

Odd issue today folks. Seems to be 12.1.2. We have restrictions to disable passcode changes. We also have a policy to require a password. After a password is set at in the setup assistant when the restriction is applied the passcode is removed. Some of the setup assistance part is hear say as I have not had a chance to get my hands on a device.

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-01-30 16:51:18

What is the password requirement you set? Alphanumeric?

macbentosh (benbergthold@gmail.com)
2019-01-30 18:54:25

number

John_seston (john.seston@me.com)
2019-02-01 10:05:33

@John_seston has joined the channel

Jason (jasonh@bridgeway.co.uk)
2019-02-01 14:37:33

@Tinus Interestingly, I can confirm that the next batch of CPS APIs are now at feature parity across both on-prem Core (v10.2 and above) and Cloud.

NicolasR (raison_nicolas@me.com)
2019-02-01 14:37:58

nice

NicolasR (raison_nicolas@me.com)
2019-02-01 14:38:18

is there a features parity between v1/2 standard CORE API with CPS?

Jason (jasonh@bridgeway.co.uk)
2019-02-01 14:39:58

Ah, now that’s a loaded question… 🙂

Jason (jasonh@bridgeway.co.uk)
2019-02-01 14:41:08

We’re hoping to move completely across to CPS and are currently testing the new CPS APIs across both platforms. Watch this space for further announcements!

Jason (jasonh@bridgeway.co.uk)
2019-02-01 16:48:46

In short, no.

Jason (jasonh@bridgeway.co.uk)
2019-02-01 16:50:20

There’s still a lot of missing backbone functionality in CPS APIs as they stand, but the new MTQQ based messaging for app and location changes are quite interesting and worthy of further examination.

👍 NicolasR
Jason Bayton (jason@bayton.org)
2019-02-04 16:15:00

Is there an app limit in the MI kiosk @here?

} MichaelM21 (https://mobilxperts.slack.com/team/UEQQEGM63)
NicolasR (raison_nicolas@me.com)
2019-02-04 16:19:43

AFAIK nop

NicolasR (raison_nicolas@me.com)
2019-02-04 16:19:58

I never heard about limitation on the number of apps

NicolasR (raison_nicolas@me.com)
2019-02-04 16:20:35

at some point you should be limited by the device hardware through 😄

Jason Bayton (jason@bayton.org)
2019-02-04 16:22:43

@MichaelM21 there we go! There certainly won't be on the AE side, so it'd be MI if anything

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-02-04 17:58:00

*Thread Reply:* Thanks @Jason Bayton & @NicolasR 🙏

macbentosh (benbergthold@gmail.com)
2019-02-04 16:38:45

how was this retired?

Mark Vonk (mark.vonk@dahvo.com)
2019-02-04 18:29:26

*Thread Reply:* Thats an automated cleanup; the same device for the same user has been registered on the Core multiple times. Core automatically cleans up the oldest registration(s)

MichaelM21 (mike.miller815@yahoo.com)
2019-02-04 18:01:40

I have a couple of devices (mostly Android) where the device name on Core (10.1.0.0) is blank. Is there a sync cycle involved in collecting the info or could that be an Android thing, any ideas?

Mark Vonk (mark.vonk@dahvo.com)
2019-02-04 19:43:53

*Thread Reply:* Any particular brand or type of device you are having an issue with? Never seen that before.

MichaelM21 (mike.miller815@yahoo.com)
2019-02-05 08:45:17

*Thread Reply:* All of them are Samsung devices, different models

Mark Vonk (mark.vonk@dahvo.com)
2019-02-07 18:55:42

*Thread Reply:* Was this fixed after you fixed the connection to Google wrt Android Enterprise?

MichaelM21 (mike.miller815@yahoo.com)
2019-02-08 19:44:15

*Thread Reply:* No that was a different environment

Kiran Patel (kiran@kiranpatel.net)
2019-02-05 01:48:12

Has anyone had the need to initiate a MI Core LDAP Sync through the API? Anyone know if this was introduced since this page?

Prapula (prapula@mobilenetwork.com.au)
2019-02-05 04:14:15

@Prapula has joined the channel

Sam (sam@mobilenetwork.com.au)
2019-02-05 05:43:18

@Sam has joined the channel

Luc (luc.rames@digitaldimension.fr)
2019-02-06 16:57:29

@Luc has joined the channel

Karl Seaton (karl.seaton@wandera.com)
2019-02-07 15:46:17

@Karl Seaton has joined the channel

Kory (kharker@cradlepoint.com)
2019-02-07 17:57:10

@here anyone run into an issue enrolling MacOS where the initial enrollment profile gives this error: “Profile installation failed. Unable to decrypt encrypted profile.” ?

Mirko Bülles (mbulles@mobileiron.com)
2019-02-07 17:57:57

Are you using Core or Cloud, send me a screenshot if possible, Mirko.

msavolainen (mikko.savolainen@datainfo.fi)
2019-02-08 13:02:26

Would anyone have more information about this Android Email+ problem? https://community.mobileiron.com/docs/DOC-9664

Jason Bayton (jason@bayton.org)
2019-02-08 13:02:55

There's no further info ATM. They're working with Google to understand why it was pulled.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-02-08 13:08:43

already enrolled devices keep the app. only new installations are a problem.

Jason Bayton (jason@bayton.org)
2019-02-08 13:10:34

And updates

msavolainen (mikko.savolainen@datainfo.fi)
2019-02-08 13:31:30

Must wait then. Email+ Preview seems to be there, but i don’t know is it stable

Jason Bayton (jason@bayton.org)
2019-02-08 14:19:50

Email+ preview requires a license, so it's not an option. Just waiting is all we can do. I'd be interested in knowing what MI violated to have it pulled.

Jason Bayton (jason@bayton.org)
2019-02-08 19:15:01

There we are, they failed to plan for the new enforcements on SMS/Phone permissions and got taken down. Great to see Google sparing no-one in this initiative. The app should be whitelisted and back up soon (one would hope).

👍 Woody, msavolainen
Jason Bayton (jason@bayton.org)
2019-02-08 20:16:05

AND anyone using Core on a version less than 10.1 with Android Enterprise, it looks like app management will soon stop functioning as the old Play APIs have been deprecated. Get updatin'

👍 Woody, NicolasR
MichaelM21 (mike.miller815@yahoo.com)
2019-02-10 18:47:35

*Thread Reply:* Any known timeline about this?

Jason Bayton (jason@bayton.org)
2019-02-10 18:48:04

*Thread Reply:* Mid March

msavolainen (mikko.savolainen@datainfo.fi)
2019-02-11 07:58:34

*Thread Reply:* Any article about this old API case?

Jason Bayton (jason@bayton.org)
2019-02-11 08:40:59

*Thread Reply:* You should've received an email on it: http://pages.mobileiron.com/DOGu10V0HIX00t0GlW0g0cI

msavolainen (mikko.savolainen@datainfo.fi)
2019-02-11 08:57:12

*Thread Reply:* ok, this one, thanks 😃

MichaelM21 (mike.miller815@yahoo.com)
2019-02-11 11:05:46

*Thread Reply:* Thanks 🙏

Mark Vonk (mark.vonk@dahvo.com)
2019-02-08 20:37:38

Same for iOS APNS: Apple will soon deprecate the old protocol. Hence you will need to be on Core 10 or higher.

Jason Bayton (jason@bayton.org)
2019-02-08 20:38:17

There's a lot of stuff happening all at once right now.

👍 NicolasR, MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-02-11 12:26:51

Can anyone explain to me what that indicates? We deploy a lockdown policy for Android, where these features are enabled. Not sure what disabled means in this context.

Jason Bayton (jason@bayton.org)
2019-02-11 12:29:45

Left: Settings value (your policy). Right: What the device is enforcing. Icon: Match (✔️) or Not (❎)

MichaelM21 (mike.miller815@yahoo.com)
2019-02-11 12:31:37

So in that case the device doesn‘t enforce „allow unknown source“.. meaning it is disabled until the user enables it?

Jason Bayton (jason@bayton.org)
2019-02-11 12:37:09

Not necessarily, you've also got usb storage and youtube showing as disabled on the device, which there'd be no enforcement of without a policy. Is the device properly enrolled with the policies showing applied? I'd think default security policies are in place while it finishes enrolling looking at that, but also is this the lockdown policy you're applying being referenced or just the first set of ❎ you've seen?

MichaelM21 (mike.miller815@yahoo.com)
2019-02-11 12:41:26

*Thread Reply:* I have enrolled the device via DPC, so it is work managed COBO. The lockdown policy is „Applied“, but a lot of values have the ❎

MichaelM21 (mike.miller815@yahoo.com)
2019-02-11 12:41:57

*Thread Reply:* But also some of them are ✅

Jason Bayton (jason@bayton.org)
2019-02-11 12:54:57

*Thread Reply:* That which is currently blocked on the device according to the screenshot, can you test it?

MichaelM21 (mike.miller815@yahoo.com)
2019-02-11 14:50:05

*Thread Reply:* Re-Enrolled the device, looks better now.. weird.. thx.. do you have experiences with printing from the Work Profile? It looks like it is not working trying to connect a printer via Bluetooth from within the Work Profile.

Jason Bayton (jason@bayton.org)
2019-02-11 16:15:27

*Thread Reply:* My only experience is either utilising cloudprint, or apps like the epson/hp print enabler. Beyond that.. I certainly haven't tested via bluetooth

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-02-11 20:29:38
Jason Bayton (jason@bayton.org)
2019-02-11 20:31:30

*Thread Reply:* Good catch! There's your answer then

👍 MichaelM21
msavolainen (mikko.savolainen@datainfo.fi)
2019-02-12 11:51:00

Anyone seen this on Core: Authentication server at https://accounts.google.com/o/oauth2/token is not reachable

Phil Hackett (phil.hackett83@gmail.com)
2019-02-12 11:57:36

*Thread Reply:* Yep, this AE service test fails on our Core’s as well. It’s a known issue for Core 9.6-10.1. It should not impact AE device management. https://community.mobileiron.com/docs/DOC-8547

msavolainen (mikko.savolainen@datainfo.fi)
2019-02-12 12:01:38

*Thread Reply:* okay, didn

msavolainen (mikko.savolainen@datainfo.fi)
2019-02-12 12:01:48

*Thread Reply:* t seen this before

msavolainen (mikko.savolainen@datainfo.fi)
2019-02-12 12:04:16

*Thread Reply:* thanks

macbentosh (benbergthold@gmail.com)
2019-02-12 22:49:24

any idea why apps@work webclick gets pushed out to all devices again after a core update?

NicolasR (raison_nicolas@me.com)
2019-02-12 22:49:49

The URL changes with CORE version at the end ;-)

macbentosh (benbergthold@gmail.com)
2019-02-12 22:50:17

our users don’t like that

NicolasR (raison_nicolas@me.com)
2019-02-12 22:50:25

Mine too :-D

macbentosh (benbergthold@gmail.com)
2019-02-12 22:50:41

so no way to fix it then?

NicolasR (raison_nicolas@me.com)
2019-02-12 22:52:04

I never tried but I guess if you push Apps@work webclip via another config manually created and removing this value, it should work. Of course remove distribution via the System config

NicolasR (raison_nicolas@me.com)
2019-02-12 22:52:29

Never tested through, I just know that this parameter of the url is not required

Kiran Patel (kiran@kiranpatel.net)
2019-02-13 02:46:53

Apps@Work needs a lot of TLC... experience compared to other vendors in the space is horrible

Kiran Patel (kiran@kiranpatel.net)
2019-02-13 02:47:21

only part that was recently added that I like is pre-req apps but even that doesn't have a "download all" option that includes the current app you're trying to install

MichaelM21 (mike.miller815@yahoo.com)
2019-02-13 13:17:10

Has anyone ever heard of this if an AD user has to many group memberships that they are not able to enroll in MobileIron via M@W?

Martin Hillerö (martin.hillero@techstep.se)
2019-02-13 13:51:20

@Martin Hillerö has joined the channel

Luc (luc.rames@digitaldimension.fr)
2019-02-13 16:03:42

@MichaelM21 No and i have some exemple who working

Mark Vonk (mark.vonk@dahvo.com)
2019-02-14 11:28:07

I am setting up a AE Kiosk with Core 10.2. I register the device with a QR code. As soon as I register within the Mobile@Work client, the device is soon after reset to factory settings. My guess is that a profile change occurs and hence the device is reset. The kiosk config/policy is labeled to the device manually. Any idea if that is the issue and if so how I circumvent it?

Jason Bayton (jason@bayton.org)
2019-02-14 11:46:51

The only reason that should happen is if the mandatory AE config isn't applied.

Peksi (pekko.kovanen@outlook.com)
2019-02-14 12:26:40

@Peksi has joined the channel

Mark Vonk (mark.vonk@dahvo.com)
2019-02-14 13:23:47

Another 10 point for Jason on the Android Enterprise leadership board! Thanks, indeed the AE config was not applied correctly.

😄 Jason Bayton
Jason Bayton (jason@bayton.org)
2019-02-14 14:15:53

Easy fix 😄

macbentosh (benbergthold@gmail.com)
2019-02-14 15:20:40

so upgraded to 10.2 yesterday…VPP will sync but is not handing out lic.

macbentosh (benbergthold@gmail.com)
2019-02-14 15:20:44

Update the token?

Kiran Patel (kiran@kiranpatel.net)
2019-02-14 15:39:02

Anyone have experience with MI Core LDAP sync hitting a 25% shift change and trying to figure it out form the logs?

Kiran Patel (kiran@kiranpatel.net)
2019-02-14 15:39:15

I'm seeing a few of these in the logs but not many. ldap hash 3c323af94a7d2fd7bab67778fc87eb34 does not match db hash

Kiran Patel (kiran@kiranpatel.net)
2019-02-14 15:39:30

Figure'd I'd poll the experts while support gets through 🙂

Anders Ekelund (anders.ekelund@techstep.se)
2019-02-14 15:39:33

@Kiran Patel it shows in the LDAP sync log in system manager

Kiran Patel (kiran@kiranpatel.net)
2019-02-14 15:40:13

Yup I've scraped through that but unfortunately not super useful / human readable

Anders Ekelund (anders.ekelund@techstep.se)
2019-02-14 15:41:29

if it is in fact the threshold, its usually pretty clear.

Anders Ekelund (anders.ekelund@techstep.se)
2019-02-14 15:43:09

looks like this:

Anders Ekelund (anders.ekelund@techstep.se)
2019-02-14 15:43:17
Jason Bayton (jason@bayton.org)
2019-02-14 15:45:29

Cloud and legacy Android question -

Where's the option to remove apps on retire? I went looking for it in the app config area thinking it was like iOS only to see nothing exists there. I've got a customer retiring devices on which corporate apps aren't being removed.

Anders Ekelund (anders.ekelund@techstep.se)
2019-02-14 15:45:38
Kiran Patel (kiran@kiranpatel.net)
2019-02-14 15:48:28

ah yes, where is that again?

Kiran Patel (kiran@kiranpatel.net)
2019-02-14 21:43:50

*Thread Reply:* Ughh turned out to be some massive query AD groups were removed from enough i users “member of” attribute even though we aren’t using those groups in AD. Learn something new everyday!

macbentosh (benbergthold@gmail.com)
2019-02-14 16:07:39

anyone having vpp issues

Rajesh Kumar (rajes20@gmail.com)
2019-02-14 16:34:59

@Rajesh Kumar has joined the channel

Woody (eric.woodland@trust.tc)
2019-02-14 18:02:11

@macbentosh try @here

macbentosh (benbergthold@gmail.com)
2019-02-14 18:09:29

hate to do this but… @here upgraded to 10.2 yesterday. VPP install messages are getting sent to the device but the devices are asking for itunes login. These are Supervised DEP devices and have received apps from core before. Anyone out there experience any issues with VPP and an upgrade to 10.2 or seeing VPP issues in general? Our token for VPP checks out.

Jason Bayton (jason@bayton.org)
2019-02-14 18:12:13

*Thread Reply:* If you're being promoted for login suggests VPP isn't taking precedence over the standard label assignment.

Have you tried renewing and readding VPP? Maybe on a test app try assigning only to the VPP label and not the standard? (That dual-label assignment was a bug)

macbentosh (benbergthold@gmail.com)
2019-02-14 18:16:03

*Thread Reply:* Not sure what you mean about the dual label part

macbentosh (benbergthold@gmail.com)
2019-02-14 18:16:26

*Thread Reply:* renewing VPP? Re-import the token?

Jason Bayton (jason@bayton.org)
2019-02-14 18:33:39

*Thread Reply:* In core you assign the app to a label, then assign VPP to a label.

Jason Bayton (jason@bayton.org)
2019-02-14 18:33:59

*Thread Reply:* Wasn't tooooo long ago you'd only need to do the VPP label and not the app label.

macbentosh (benbergthold@gmail.com)
2019-02-14 18:35:49

*Thread Reply:* we have a blanket vpp label called Apps …All devices that are eligible for VPP apps. Then we advertise the app to the people we want to with a different label

Mark Vonk (mark.vonk@dahvo.com)
2019-02-14 18:14:44

For immediate production issues, I would rather consult MobileIron support or your Mobileiron partner. That being said; sounds like the app is not pushed as a device VPP app, but rather a normal AppStore app; hence the Apple ID pop up. Sounds like the Core is not actually connecting to VPP. Reset the default cipher suites for outgoing communication on the Core and restart it. Renew the VPP token and make a change (buy 1 extra license for a free app) and check in the MIFS logs for issues.

👏 Jason Bayton
👍 Woody
macbentosh (benbergthold@gmail.com)
2019-02-14 18:39:51
macbentosh (benbergthold@gmail.com)
2019-02-14 18:15:19

I have a case with MI

👍 Woody
Mathieu Bernier (mathieu.bernier@gmail.com)
2019-02-14 20:18:13

@Mathieu Bernier has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2019-02-14 21:42:57

Yup I actually scanned the 10.2 release notes and they made specific reference to the TLS / cipher changes and a note about ABM support

macbentosh (benbergthold@gmail.com)
2019-02-14 21:43:16

o rly?

macbentosh (benbergthold@gmail.com)
2019-02-14 21:43:30

i saw the tls changes

Amar (amar.shah@outlook.com)
2019-02-14 21:50:52

@Amar has joined the channel

Amar (amar.shah@outlook.com)
2019-02-14 21:51:39

@Amar has left the channel

macbentosh (benbergthold@gmail.com)
2019-02-14 21:59:20
Jorn Erik Hornseth (jh@syscomworld.com)
2019-02-14 22:01:03

@Jorn Erik Hornseth has joined the channel

System Admin (sagar080890@gmail.com)
2019-02-15 00:53:39

@System Admin has joined the channel

Jay Patel (jay991@gmail.com)
2019-02-15 02:25:16

@Jay Patel has joined the channel

Richard Li (richard2jp@gmail.com)
2019-02-15 03:06:22

@Richard Li has joined the channel

Manfred Bremmer (mbremmer@computerwoche.de)
2019-02-15 06:03:57

@Manfred Bremmer has joined the channel

Bharat Madimi (madimibharat92@gmail.com)
2019-02-15 06:49:15

@Bharat Madimi has joined the channel

Kjell Eilertsen (kjell.i.eilertsen@gmail.com)
2019-02-15 07:19:56

@Kjell Eilertsen has joined the channel

Jesper Ståhl (jepsan@gmail.com)
2019-02-15 09:22:25

@Jesper Ståhl has joined the channel

Johannes Harbs (harbs.johannes@gmail.com)
2019-02-15 09:41:47

@Johannes Harbs has joined the channel

Sharon (sharon.samson@anz.com)
2019-02-15 10:12:03

@Sharon has joined the channel

Kévin LORET (kevin.loret@gmail.com)
2019-02-15 10:21:21

@Kévin LORET has joined the channel

Sragnob (maartinos@gmail.com)
2019-02-15 10:45:35

@Sragnob has joined the channel

Jaap Noorda (jaapnoorda@gmail.com)
2019-02-15 12:05:54

@Jaap Noorda has joined the channel

Mikko Koljander (mikko.koljander@teliacompany.com)
2019-02-15 12:18:12

@Mikko Koljander has joined the channel

Narcwolf (ybier1@gmail.com)
2019-02-15 14:02:03

@Narcwolf has joined the channel

Martin (mto@mobileiron.com)
2019-02-15 14:41:29

@Martin has joined the channel

macbentosh (benbergthold@gmail.com)
2019-02-15 16:42:57

enabled TLSv1 and 1.1 and can push VPP. Did MI ever disable v1 in an update?

MichaelM21 (mike.miller815@yahoo.com)
2019-02-15 17:27:53

Yes with Core 10.2.0.0

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-02-15 17:46:42

@Adrian Patrascu has joined the channel

NicolasR (raison_nicolas@me.com)
2019-02-15 20:43:04

@macbentosh port 8080 is now disabled ;-) Only port 443 for provisioning since iOS 12

Anuj (anuj71307@gmail.com)
2019-02-15 21:33:10

@Anuj has joined the channel

AbhishekPd (abhiprasad04@gmail.com)
2019-02-16 00:50:03

@AbhishekPd has joined the channel

Peter Mohr (pm@conscia.com)
2019-02-16 08:50:46

@Peter Mohr has joined the channel

Thiago Neves (ttn.passos@gmail.com)
2019-02-16 10:45:17

@Thiago Neves has joined the channel

David Johansson (david.johansson@outlook.com)
2019-02-16 16:35:06

@David Johansson has joined the channel

Michał Konowrocki (conovrocky@gmail.com)
2019-02-16 20:19:34

@Michał Konowrocki has joined the channel

Khalid (dashingkhalid@gmail.com)
2019-02-17 07:22:42

@Khalid has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-02-17 09:40:04

MobileIron Authenticator works only with Access as a Service, right?

Mark Vonk (mark.vonk@dahvo.com)
2019-02-17 10:33:51

Yes

🙏 MichaelM21
Clark (76clark@gmail.com)
2019-02-17 19:22:47

And it will not work when leveraging delegated IDP either.

NicolasR (raison_nicolas@me.com)
2019-02-17 19:24:26

I wonder if MobileIron will continue Access sentry for long time as there is feature difference

Michael Auerbach (mau@conscia.com)
2019-02-18 09:08:01

@Michael Auerbach has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-02-18 12:34:57

@Clark : authenticator will not work when Access as a Service is used as Delegated IdP?

Mark Vonk (mark.vonk@dahvo.com)
2019-02-18 12:43:31

Yes again

MichaelM21 (mike.miller815@yahoo.com)
2019-02-18 12:45:22

Holy mother.. 😳 this is some bad news.. again! 😂 thanks @Mark Vonk

Peter Mohr (pm@conscia.com)
2019-02-18 12:46:15

Why is that bad news? You're delegating your auth to MI Access and just let Access handle eveything. Device compliance etc

MichaelM21 (mike.miller815@yahoo.com)
2019-02-18 12:47:37

I am talking about MobileIron Authenticator App. If I can‘t use Two Factor Authentication when Access as A Service is used as Del IdP, how is this good news if I need a second factor?

MichaelM21 (mike.miller815@yahoo.com)
2019-02-18 12:49:15

Are we talking about the same?

Mark Vonk (mark.vonk@dahvo.com)
2019-02-18 12:53:51

If you use Access as a Delegated IDP, the authentication is not handled for all clients by Access, only the mobile devices authentication requests are handled by Access. Authenticator is used to authenticate other clients, not mobile devices.

MichaelM21 (mike.miller815@yahoo.com)
2019-02-18 12:56:30

And the gap closes.. 🙈😂 silly me, gotcha! Thanks, pretty obvious looking at it from that viewpoint. No more 🍺 for me on a Monday morning, jesus.

😆 Woody, Jason
JmB (jean-marc.bichaud@econocom.com)
2019-02-18 13:50:22

@JmB has joined the channel

JmB (jean-marc.bichaud@econocom.com)
2019-02-18 13:50:41

Hello Guys

Anyone has problems on auto-update on Android Entreprise applications on Work managed device ? none of our applications is updating automatically on Professional play store 😞 MI Cloud settings -> Install auto Local Android settings -> Allow autoupdate on any network

Jason Bayton (jason@bayton.org)
2019-02-18 13:53:12

Haven't tested cloud specifically but no issues to date with Core

Denmaru (florian.lampel@cancom.at)
2019-02-18 14:01:45

Hello everyone! Does anyone in here know if an iOS update (e.g. from 12.1.0 to 12.1.4) gets logged in MI, and if so, where?

Phil Hackett (phil.hackett83@gmail.com)
2019-02-18 16:00:25

You can use filter labels to track this. Just create filter labels for each iOS version, then when a device updates from iOS 12.1.0 to iOS 12.1.4, you will see the label change in the logs.

MichaelM21 (mike.miller815@yahoo.com)
2019-02-18 16:05:40

Is there a way to send system events to a distribution list instead directly to admins? (Core)

Clark (76clark@gmail.com)
2019-02-18 16:30:03

@MichaelM21 create a local user that has the email address of the distribution list and assign the alerts to this local user.

✅ Woody
MichaelM21 (mike.miller815@yahoo.com)
2019-02-18 16:35:10

*Thread Reply:* Gotcha. The user needs to be an Admin? No registered device necessary for that user?

Clark (76clark@gmail.com)
2019-02-18 23:50:18

*Thread Reply:* You do not need to give the user any admin rights or register a device against it. Just in the event you are monitoring in the admins section search for the user.

🙏 MichaelM21
Marc Brandenburg (mobilxperts@marcbrandenburg.com)
2019-02-18 22:43:45

@Marc Brandenburg has joined the channel

FullMobile (mihai.zapuc@gmail.com)
2019-02-19 09:36:21

@FullMobile has joined the channel

Yasar (siddiqui.arfat@yahoo.in)
2019-02-19 11:31:18

@Yasar has joined the channel

Antonio Maiello (amaiello@mobileiron.com)
2019-02-19 16:13:59

@Antonio Maiello has joined the channel

System Admin (sagar080890@gmail.com)
2019-02-20 01:49:34

Actually I need to manage iOS Devices via jamf as we are already using for Mac

System Admin (sagar080890@gmail.com)
2019-02-20 01:49:54

Now the question is can we connect iOS devices to corporate network

System Admin (sagar080890@gmail.com)
2019-02-20 01:50:36

In our organization main issue is to connect to corporate network device should he be AD Bound

Woody (eric.woodland@trust.tc)
2019-02-20 01:51:19

@System Admin who do you use for your Corporate WiFi?

Woody (eric.woodland@trust.tc)
2019-02-20 01:51:42

Also, if this is specific to Jamf.. we could shift to #jamf

System Admin (sagar080890@gmail.com)
2019-02-20 01:52:05

@Woody it's not basically jamf , is it possible for any mdm

Woody (eric.woodland@trust.tc)
2019-02-20 01:52:59

So, what is being used for Corporate WiFi infrastructure?

Woody (eric.woodland@trust.tc)
2019-02-20 01:53:50

If the MDM has integrations with the WiFi vendor, you could deploy a WiFi Profile with Identity Certificate and have the WiFi vendor check against the MDM/CA for validity, etc

Woody (eric.woodland@trust.tc)
2019-02-20 01:55:30

It’s not technically a domain join (let’s be honest, mobile devices don’t really join domains), but it’s an automated means to access Company WiFi based on good standing with management, ownership, etc

System Admin (sagar080890@gmail.com)
2019-02-20 01:56:29

@Woody correct in Mobile devices domain joined it's not possible or not the right word

System Admin (sagar080890@gmail.com)
2019-02-20 01:56:43

So I want to understand how it's possible and how can we achieve the same

Woody (eric.woodland@trust.tc)
2019-02-20 01:57:20

Good example would be Cisco ISE’s integration with something like MobileIron, etc

Woody (eric.woodland@trust.tc)
2019-02-20 01:58:13

Cert-based auth (great UX), but checks against MI APIs when a connection is requested from said device

System Admin (sagar080890@gmail.com)
2019-02-20 02:12:15

So is it possible in jamf...also what about AirWatch and SOTI

Woody (eric.woodland@trust.tc)
2019-02-20 02:15:36

So, Cert-Based (and integration with EMM) really depends on the WiFi vendor’s functionality

System Admin (sagar080890@gmail.com)
2019-02-20 02:18:12

@Woody can you please help me with CISCO ISE Integration more

Woody (eric.woodland@trust.tc)
2019-02-20 02:27:18

Sure - There’s a document/guide for it that should help explain it a bit more

Woody (eric.woodland@trust.tc)
2019-02-20 02:28:03

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01000.html#task_820C9C2A1A6647E995CA5AAB01E1CDEF

Cisco
Woody (eric.woodland@trust.tc)
2019-02-20 02:29:34

You can Google the EMM you’d like to integrate and see if there is a guide for it

System Admin (sagar080890@gmail.com)
2019-02-20 02:37:27

@Woody looks perfect, but I guess this will only I'd organization using CISCO internet provider

Woody (eric.woodland@trust.tc)
2019-02-20 02:37:57

Right. Each Wireless Vendor has their own features and 3rd Party integrations

System Admin (sagar080890@gmail.com)
2019-02-20 02:50:56

Thanks buddy

Woody (eric.woodland@trust.tc)
2019-02-20 02:51:21

Any time!

System Admin (sagar080890@gmail.com)
2019-02-20 03:50:57

@Woody what about VPN?

Woody (eric.woodland@trust.tc)
2019-02-20 04:30:53

*Thread Reply:* In terms of iOS devices and what EMM platform?

System Admin (sagar080890@gmail.com)
2019-02-20 05:03:02

*Thread Reply:* iOS devices and Jamf

Woody (eric.woodland@trust.tc)
2019-02-20 06:23:33

*Thread Reply:* @System Admin your best bet is going to utilize whatever 3rd party VPN service you have, deployed via JAMF (e.g Cisco AnyConnect. Pulse, etc)

System Admin (sagar080890@gmail.com)
2019-02-20 05:22:05

@Woody I checked we are using CISCO Wireless HW

👍 Woody
Woody (eric.woodland@trust.tc)
2019-02-20 06:49:12

*Thread Reply:* Do you happen to have Cisco ISE?

System Admin (sagar080890@gmail.com)
2019-02-20 06:53:10

*Thread Reply:* I am not Sure just I come to know CISCO Wireless HW

Woody (eric.woodland@trust.tc)
2019-02-20 06:54:23

*Thread Reply:* OKay @System Admin. Ask about your entitlement to ISE. That’s what would make the biggest difference when used with an EMM

Philip Harrison (CWSI) (pharrison@cwsi.ie)
2019-02-20 10:53:12

@Philip Harrison (CWSI) has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-02-20 11:20:42

Where would you place the Reporting Database? In the DMZ or Internal? Since the RDP will not need to be accessible from the Internet, Internal should be fine - only Port 7443 for Core.

Mark Vonk (mark.vonk@dahvo.com)
2019-02-20 11:55:53

Internal or some kind of management LAN, depending on the customers environment

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-02-20 12:01:28

*Thread Reply:* Thank you @Mark Vonk . Self Signed SSL Cert also enough, right?

Mark Vonk (mark.vonk@dahvo.com)
2019-02-20 14:05:24

*Thread Reply:* Yes that should be OK. Depends on what reporting service will talk to the RDB using what kind of protocol. But self signed is typically ok

🙏 MichaelM21
aaron4mobile (aaronleavey@gmail.com)
2019-02-20 14:00:30

Looking for some assistance in troubleshooting a device that shows up in the mobileiron cloud admin console but is not able to be managed (message says MDM disabled when try to do something like a forced checkin). Is there a way where you can get the device communicating again with MI without going the route of completely wiping the device and starting over? Thx!!

Mark Vonk (mark.vonk@dahvo.com)
2019-02-20 14:04:12

Android or iOS?

aaron4mobile (aaronleavey@gmail.com)
2019-02-20 14:06:43

Hi @Mark Vonk its an iOS device. Unfortunately, do not have physical access to the device 😞 Was told they were not able to delete the mdm profile on the device.

Mark Vonk (mark.vonk@dahvo.com)
2019-02-20 14:09:25

Are iOS devices supervised? Because the error sounds like the MDM profile is already removed. But “not able to delete it” sounds like the MDM profile is unremovable.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-02-20 14:10:21

DEP, supervised or traditional? Maybe reenroll in the MobileIron App?

aaron4mobile (aaronleavey@gmail.com)
2019-02-20 14:14:15

Most are supervised (e.g. DEP enrolled) but this one I need to confirm but appears to not be DEP enabled. Yes, its like its disconnected from Mobileiron yet the profile is locked and unremovable from the device. Kind of stuck. @Wolfgang Bauer I did delete the device from MI and then had them re-enroll. I see the device but it's not talking to MI as it seems that it has remnants from the prior enrollment.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-02-20 14:28:20

if all other devices with the same configuration and location work I would recommend a wipe or DFU mode iOS reinstall and then reenroll

aaron4mobile (aaronleavey@gmail.com)
2019-02-20 14:34:41

Thanks @Wolfgang Bauer I think those are my only options at this point. Was hoping to not have to go that route but seems like that is the way to get it fixed so that i can re-enroll device.

Pierre Michaud (thunderbirt@gmail.com)
2019-02-20 17:18:29

@Pierre Michaud has joined the channel

macbentosh (benbergthold@gmail.com)
2019-02-20 20:44:22

what hotel is everyone looking at for LIVE!

MichaelM21 (mike.miller815@yahoo.com)
2019-02-21 05:28:28

*Thread Reply:* The H2 on Alexanderplatz is pretty good

Anders Ekelund (anders.ekelund@techstep.se)
2019-02-22 10:10:47

*Thread Reply:* Hotel NH Berlin Alexanderplatz

J kruit (j.kruit@partner.samsung.com)
2019-02-21 08:48:29

@J kruit has joined the channel

Srikanth (srikanth.gone@live.com)
2019-02-21 09:31:01

@Srikanth has joined the channel

mahiroux (mhyb.mk@gmail.com)
2019-02-21 15:11:32

I have configured Graph API in Mobileiron MDM and policies are working on iOS devices however it does not work on Android devices configured with AE.

What i have noticed is whenever i sign in to Microsoft apps,it gives a warning that it requires company app.Appreciate any assistance to fix this issue .

Phil Hackett (phil.hackett83@gmail.com)
2019-02-21 15:25:39

Have you installed the MS Company Portal App in Work Profile? It’s required for App Protection Policies on AE devices. You don’t need to sign-in to the portal app, just make sure it’s installed.

👍 Mark Vonk, MichaelM21, Anders Ekelund, mahiroux
👋 mahiroux
danlux (dan.luchsinger@dignityhealth.org)
2019-02-21 18:43:51

@danlux has joined the channel

Anders Ekelund (anders.ekelund@techstep.se)
2019-02-22 10:07:30

out of curiosity, how are people solving the issue with end-users not opening the MobileIron-client after a iOS DEP-enrollment?

Phil Hackett (phil.hackett83@gmail.com)
2019-02-22 16:46:19

*Thread Reply:* MI have a KB article on how you can deal with this: https://community.mobileiron.com/docs/DOC-7771

Phil Hackett (phil.hackett83@gmail.com)
2019-02-22 16:50:12

*Thread Reply:* We are looking at increasing the time window that a user has to launch the Mobile@Work app after DEP enrollment. MI recommended setting this at 1 week maximum. But there are customers who have it set to 6 months….

Anders Ekelund (anders.ekelund@techstep.se)
2019-02-25 13:41:38

*Thread Reply:* okay, ive been in contact with MobileIron, and they said to be careful with the window due to not filling the database.. but having it set to 6 months sounds perfect 🙂

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-02-22 10:58:25

Send them appconnect apps, which they want to use/test. They will trigger the client.

Sebastian (registration@talue.fr)
2019-02-22 20:29:20

@Sebastian has joined the channel

Stefan Klix (stefan.klix@googlemail.com)
2019-02-22 22:59:28

@Stefan Klix has joined the channel

mahiroux (mhyb.mk@gmail.com)
2019-02-23 05:02:12

I am unable sync emails on Xiaomi MI 6(OS 8.0) using AE.Settings crashes whenever i try to activate device admin for gmail.Anyone is facing this issue?

Jason Bayton (jason@bayton.org)
2019-02-23 09:07:15

Xiaomi isn't an enterprise OEM, and they currently have little desire to change that.

Try getting logs (bug report) after it crashes but if you can avoid it don't use Xiaomi in enterprise

Mathieu Maillet (mathieumaillet.fr@gmail.com)
2019-02-23 22:35:52

@Mathieu Maillet has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-02-24 19:49:02

Is Help@Work for iOS with Teamviever integration now part of Core 10.2.0.0 - any experiences yet?

Sragnob (maartinos@gmail.com)
2019-02-25 08:23:44

COPE + Samsung scenario - We cannot use Gmail and configure it in work profile when it is in the private part already because of "leave all system apps enabled" via KME. Either we can't push the apps through managed google play to the work profile, or the apps lose their configuration (the exchange account is added and deleted)

It works fine to push Gmail and chrome via managed google play, and configure them with mobileiron when system apps are disabled but not otherwise. We can of course not deactivate all system apps, because then the phone becomes so user-unfriendly.

Works fine with NOKIA, huawei etc - any tips for samsung?

thebjohn (brandonjohnson518@gmail.com)
2019-02-25 17:16:06

@thebjohn has left the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-02-25 19:51:59

Does it make sense to create different labels for Email+ configs and the Email+ app itself?

Almar Diehl (almar.diehl@blaud.com)
2019-02-25 20:09:06

*Thread Reply:* Only if you wish to have different configs for different user/device groups.

👍 Woody
MichaelM21 (mike.miller815@yahoo.com)
2019-02-25 20:26:21

*Thread Reply:* Right, good point. I am thinking if this could cause issues where in some cases apps would end up without the config on the device depending how the order is within the Core queue? Also I can achieve that with Label A for Config A + app and Label B for Config B + app. I don’t see the pros. I have seen devices where Email+ drops the error „no config“..

Woody (eric.woodland@trust.tc)
2019-02-25 21:46:19

*Thread Reply:* Yeah as @Almar Diehl mentioned--it’s usually best to keep the App+Configs under a single label, unless you have multiple configs for different regions, LOBs, etc.

mahiroux (mhyb.mk@gmail.com)
2019-02-26 07:16:24

I have configured Graph API to enforce DLP controls for Microsoft Apps on both iOS and Android devices however user can sign out and that disable all controls.Is there a way to limit sign out from Microsoft apps? Secondly,i can also login with my personal 0365 account so that i can bypass all DLP controls of my work account.Is there a way to stop multi identity on Microsoft apps?

JmB (jean-marc.bichaud@econocom.com)
2019-02-26 08:15:57

*Thread Reply:* Hello,

Very good article for identity management in O365 apps on MobileIron

Android https://www.mobileiron.com/fr/blog/solving-office-365s-multi-identity-crisis-android

iOS https://www.mobileiron.com/en/blog/solving-office-365s-multi-identity-crisis-ios

mobileiron.com
Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-26 07:37:23

If a user signs out then the corp data goes with it. You have to make sure that any app which has access to your company back end is a part of the mam policy set (eg, don’t use native mail).

And yes, there is an app config key you can enter into the mam policy which restricts non-corporate accounts.

IntuneMAMAllowedAccountsOnly

However I think this key only works if you are using intune for device management.

👍 mahiroux
Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-26 07:38:05

Ah, just checked, it’s a generic app config key you can use MI to deploy.

Simon Hardy-Bistagne (simon@smnhdy.com)
2019-02-26 07:38:21

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune

docs.microsoft.com
mahiroux (mhyb.mk@gmail.com)
2019-02-26 08:25:10

@Simon Hardy-Bistagne Thank you so much.It was much helpful. Please advise if we an we use variables in the Key values?

Mark Vonk (mark.vonk@dahvo.com)
2019-02-26 09:41:15

Android / iOS Key IntuneMAMAllowedAccountsOnly value: Enabled iOS Key IntuneMAMUPN value: $USERUPN$ Android Key com.microsoft.intune.mam.AllowedAccountUPNs value: $USERUPN$

This is for MobileIron Core. Also check out: https://community.mobileiron.com/docs/DOC-6583 and https://community.mobileiron.com/message/5895

👍 MichaelM21, mahiroux
MichaelM21 (mike.miller815@yahoo.com)
2019-02-26 15:50:37

Hey guys, should it be possible to copy/paste from unmanaged iOS apps like Messages/iMessage into Email+? There is a restriction to control this, right?

Woody (eric.woodland@trust.tc)
2019-02-26 15:57:59

You can allow/disallow this via the Allow Unmanaged Apps/Managed Apps …in the iOS Restrictions Policy

Woody (eric.woodland@trust.tc)
2019-02-26 15:58:55

IMHO - Allowing data to come in is fine. Letting it leave from managed to unmanaged is a no-no

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-02-26 16:09:21

Thank you Woody, makes total sense. Are you whitelisting certain system apps within the appconnect policy or container policy to not cut off every little piece of usability - just curious how other companies do it.

Woody (eric.woodland@trust.tc)
2019-02-26 18:49:25

@MichaelM21 Honestly, anything that is AppConnect enabled resides in a container all of its own and is subject to AppConnect DLP controls (that was the original selling point for AppConnect)

Woody (eric.woodland@trust.tc)
2019-02-26 18:49:57

If you just deploy Email+ (without AppConnect config/container) then it would be subject to the native iOS DLP controls I mentioned above

SebastienP (spernot@gmail.com)
2019-02-27 08:09:38

SOLVED - Hello. We cannot upgrade from core 9.7.0.1 to 10. Space disk is fine >20Gb all pre requisite are ok. /boot is fine. Gui KO and cli KO (as mentionned a long time ago). We passed to 9.7.0.2 but now impossible to go to 10. Message in upgrade.log « rpm -q mi-ec » failed 1 » . Connector service has been disabled Thanks in advanced case is open but take time.... and cannot find solution by myself

👍 Phil Hackett
Phil Hackett (phil.hackett83@gmail.com)
2019-02-27 08:12:07

*Thread Reply:* Is this a hardware appliance or VM? Which version of Core 10 are you trying to upgrade to?

SebastienP (spernot@gmail.com)
2019-02-27 08:16:13

*Thread Reply:* It is a vm. So 9.7.0.2 to 10.0.0.3 failed.thanks

Woody (eric.woodland@trust.tc)
2019-02-27 14:25:30

*Thread Reply:* @SebastienP When do you observe that error? During the staging before the system reboots, during the attempted upgrade, etc? Have you stepped through the database validation and received a successful outcome?

SebastienP (spernot@gmail.com)
2019-02-27 14:33:39

*Thread Reply:* On reload and written into upgrade.log file. Cli don’t output failed. Database seems to pass because schéma is validated in 9.7.0.0 « no upgrade required »

SebastienP (spernot@gmail.com)
2019-02-27 14:38:47

*Thread Reply:*

SebastienP (spernot@gmail.com)
2019-02-27 15:21:39

*Thread Reply:* Dear all problem is solved. Boot was the problem. 462 Mb free space was needed. My partner moved partitions and extended boot partition. It was written in the log but we did not catch it onto the video

👏 Woody
SebastienP (spernot@gmail.com)
2019-02-27 15:21:54

*Thread Reply:* Thanks guys

Woody (eric.woodland@trust.tc)
2019-02-27 16:26:41

*Thread Reply:* Good deal @SebastienP!

MichaelM21 (mike.miller815@yahoo.com)
2019-02-27 11:20:38

Guys we had to move Apps@Work over to 9443 because somebody enabled Mutual Auth in the settings on an old Core version and this can‘t be disabled anymore (there is a KB article for that). Problem is that we can‘t open Apps@Work on Android (device admin enrollment) anymore due to an SSL issue!? iOS works fine. No idea with SSL cert is relevant here, probably the SCEP for Mutual Authentication. Since it is a system config, no label is applied.

NicolasR (raison_nicolas@me.com)
2019-02-27 20:52:14

*Thread Reply:* I used port 7443 without issues. As far as I know mutual auth with Android Apps@work is not enabled until Core & Client 10.2 Is it your case?

👍 MichaelM21
Mark Vonk (mark.vonk@dahvo.com)
2019-02-27 21:03:15

*Thread Reply:* M@W 10.2 is for sure needed. Not sure about Core 10.2 as a prerequisite.

MichaelM21 (mike.miller815@yahoo.com)
2019-02-28 04:32:56

*Thread Reply:* Ok I might consider upgrading to Core 10.2.0.0. we cutten have 10.1.0.1

MichaelM21 (mike.miller815@yahoo.com)
2019-02-28 16:51:31

*Thread Reply:* Solved - our Firewall Engineer messed up the rules so the user cert somehow got stripped due do SSL inspection feature. Weird that this affected only Android!

MichaelM21 (mike.miller815@yahoo.com)
2019-02-27 11:20:46
Mark Vonk (mark.vonk@dahvo.com)
2019-02-27 11:39:52

What certificate do you get when browsing to port 9443? With mutual auth, the devices must also present a client/identity cert. after enabling mutual auth, did someone configure the necessary steps? See the MI docs

MichaelM21 (mike.miller815@yahoo.com)
2019-02-27 12:25:38

*Thread Reply:* Browsing 9443 brings me the external trusted Portal certificate from Core.

MichaelM21 (mike.miller815@yahoo.com)
2019-02-27 12:26:20

*Thread Reply:* Only what is described in DOC-7604

Mark Vonk (mark.vonk@dahvo.com)
2019-02-27 20:27:53

*Thread Reply:* Check out page 203 and further of the Android device guide for Core 10.1 or higher and make sure to read and configure all that is needed. For instance: However, Apps@Work for Android uses mutual authentication only if you do both of the following: • Select Certificate Authentication at Apps > Apps@Work Settings > App Storefront Authentication. • Enable the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.

👍 MichaelM21
Mark Vonk (mark.vonk@dahvo.com)
2019-02-27 20:29:38

*Thread Reply:* Also read the paragraph “Migrating Mobile@Work for Android to use mutual authentication” See: https://community.mobileiron.com/servlet/JiveServlet/downloadBody/9349-102-2-33162/CoreDeviceMgmtAndroid10200_Rev17Jan2019.pdf#page197

MichaelM21 (mike.miller815@yahoo.com)
2019-02-28 04:31:43

*Thread Reply:* Thank you @Mark Vonk .. checked all these settings yesterday afternoon and everything is setup like the way it is described. @NicolasR We use Core 10.1.0.1 and M@W 10.2. Will do further troubleshooting today

Woody (eric.woodland@trust.tc)
2019-02-27 14:22:26

#FoodForThought @MichaelM21 … the need for Apps@Work can be eliminated by Android Enterprise. Just use that Google Play store, yo!

MichaelM21 (mike.miller815@yahoo.com)
2019-02-27 15:37:29

*Thread Reply:* You are absolutely right Woody, but I have still 200 zebra devices without GMS on them, so no AE possible 😢

😢 Woody
Matt Dermody (jmdermody@gmail.com)
2019-02-27 19:05:53

*Thread Reply:* Are you sure about that?

Matt Dermody (jmdermody@gmail.com)
2019-02-27 19:06:17

*Thread Reply:* I’m fairly certain Zebra enables DO based enrollment outside of GMS through StageNow

😳 MichaelM21, Woody
🙏 MichaelM21, Woody
Matt Dermody (jmdermody@gmail.com)
2019-02-27 19:06:54

*Thread Reply:* https://developer.zebra.com/thread/35648

developer.zebra.com
Matt Dermody (jmdermody@gmail.com)
2019-02-27 19:07:09

*Thread Reply:* “Device Owner is supported on AOSP and have the Device Policy Manager APIs available to take advantage of OEMConfig. However, Google Play services APIs are not available on AOSP devices.”

Matt Dermody (jmdermody@gmail.com)
2019-02-27 19:08:25

*Thread Reply:* So you can use AEDO with AOSP on the Zebra Android devices but you obviously can’t distribute LoB apps through Managed Google Play since there are no GMS features

Matt Dermody (jmdermody@gmail.com)
2019-02-27 19:08:46

*Thread Reply:* You also can convert Zebra devices between GMS and AOSP if you really needed to.

MichaelM21 (mike.miller815@yahoo.com)
2019-02-27 19:24:23

*Thread Reply:* Wow 😮.. that is news to me! Thanks Matt, I will take a look at this. Zebra :zebra_face: is a pretty fresh topic for me! 😨

Matt Dermody (jmdermody@gmail.com)
2019-02-27 19:04:25

@Matt Dermody has joined the channel

EUC_Junkie (sean.barnardo@insight.com)
2019-02-28 14:02:28

@EUC_Junkie has joined the channel

Pierre (pierre.tabanous@digitaldimension.fr)
2019-02-28 16:02:04

@Pierre has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-02-28 17:01:30

Is there no option to detect if an NDES server is down? SCEP config had the status failed because NDES was not reachable, but it looks like there is no setting for this within the system event - everything checked in the system event but no event triggered for that - every other event works within the same system event

Ben (ben.witt@bb10qnx.de)
2019-02-28 19:34:57

@Ben has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-02-28 20:04:11

Anyone using the Apps@Work container app with current versions of Core? I have read the documentation how to implement this - a lot of steps.

Jason Bayton (jason@bayton.org)
2019-02-28 20:24:33

Yup, setting it up next week for a customer too

👍 MichaelM21
Mark Vonk (mark.vonk@dahvo.com)
2019-02-28 20:32:34

A lot of the steps only have to be done one time. Once done, you only to keep it up to date, by downloading the new version and signing it again. All the Apple Dev steps aren’t needed anymore as you already have the required. But you should also remember the signing cert will expire and needs to be renewed.

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-02-28 20:42:23

Ok thanks.. Then I might have a closer look again tomorrow. Gotta get an Apple Developer account though, currently I don’t have one 😊

Mark Vonk (mark.vonk@dahvo.com)
2019-02-28 21:25:47

Make sure to get the enterprise dev account for $299: https://developer.apple.com/programs/enterprise/ That is needed to sign the apps for in-house distribution

developer.apple.com
👍 MichaelM21
Michał Kacprzak (michal.kacprzak@fancyfon.com)
2019-03-01 10:11:23

@Michał Kacprzak has joined the channel

Ankur Acharya (ankuracharya@gmail.com)
2019-03-01 23:37:07

@Ankur Acharya has left the channel

macbentosh (benbergthold@gmail.com)
2019-03-04 17:13:33

hi @here can on prem configure outlook app on iOS?

NicolasR (raison_nicolas@me.com)
2019-03-04 17:13:49

yup

NicolasR (raison_nicolas@me.com)
2019-03-04 17:13:57

it’s through managed app config

macbentosh (benbergthold@gmail.com)
2019-03-04 17:14:07

doc?

macbentosh (benbergthold@gmail.com)
2019-03-04 17:17:20

what if we have kerb auth?

EUC_Junkie (sean.barnardo@insight.com)
2019-03-04 17:18:31

@macbentosh a couple of documents for you to reference - 1) https://community.mobileiron.com/docs/DOC-1806 2) https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune

docs.microsoft.com
macbentosh (benbergthold@gmail.com)
2019-03-04 18:00:24

@NicolasR anything i need to do on the sentry to allow it?

NicolasR (raison_nicolas@me.com)
2019-03-04 18:00:50

not sure Outlook supports CBA

NicolasR (raison_nicolas@me.com)
2019-03-04 18:00:59

so I’ll say not working

macbentosh (benbergthold@gmail.com)
2019-03-04 18:02:44

cba?

macbentosh (benbergthold@gmail.com)
2019-03-04 18:02:59

even if i need username and password.

Mark Vonk (mark.vonk@dahvo.com)
2019-03-04 19:25:09

Outlook supports CBA. But MobileIron does not support Outlook from a Sentry perspective: https://community.mobileiron.com/docs/DOC-1806

Mark Vonk (mark.vonk@dahvo.com)
2019-03-04 19:27:19

But it does work, but only with passthrough (ie username and password auth). CBA that Outlook supports is not the same as CBA with Kerberos constraint delegation (which is what Sentry does)

Mark Vonk (mark.vonk@dahvo.com)
2019-03-04 19:27:58

And you will have to manually allow every device for the ActiveSync connection on the Sentry

Mark Vonk (mark.vonk@dahvo.com)
2019-03-04 19:29:21

Not a fan of using Outlook with on-premises Exchange. I would advise native mail apps with on-premises exchange or Outlook with Office365.

macbentosh (benbergthold@gmail.com)
2019-03-04 19:47:14

I don’t even see a way to authorize it in the activesync area @Mark Vonk

Mark Vonk (mark.vonk@dahvo.com)
2019-03-04 19:55:57

If you do not see your device, the device is not connecting properly to the Sentry. Either the configuration on the device is wrong, but I expect your Sentry is already set up for Kerberos constraint delegation and thus requires a client cert. if outlook does not present a certificate, the connection is closed due to the failed handshake and your device will not show up in the ActiveSync connections on the Core.

macbentosh (benbergthold@gmail.com)
2019-03-04 19:56:27

we have a basic auth sentry available too

Mark Vonk (mark.vonk@dahvo.com)
2019-03-04 20:22:23

Ok, so you will have to target that Sentry from your device as the Exchange hostname . If it still does not work, you will have to read the Sentry logs and find the issue. And that is the issue you will always have as it’s not supported; Mobileiron does not support Outlook and Microsoft does not support 3rd party reverse proxies for Exchange (ie the Sentry). So as far as I am concerned it’s not a valid option from an enterprise perspective.

Yasar (siddiqui.arfat@yahoo.in)
2019-03-05 07:29:40

This message is for Core customers on Android devices.

Google has announced end of life of two services that will affect customers with Android devices under management.

There is no impact to MobileIron Cloud. MobileIron Cloud already supports Firebase Cloud Messaging (FCM), and the HTTP batch endpoint upgrades will be performed by MobileIron before the end of life.

Google Cloud Messaging (GCM)

Mobile@Work and MobileIron Core relies on GCM today for push notifications to Android devices. This allows enterprises to perform a forced check-in, apply direct commands (like lock and unlock) to Android devices. Without GCM, these actions will not be applied until the next device check-in.

Impact: After the EOL of GCM, any MobileIron Core servers will not be able to reach Android devices until a scheduled check-in is triggered. This affects all Android devices managed by MobileIron - device admin, managed devices, work profile and Knox workspace.

End of Life date: As soon as April 11, 2019.

Mitigation: MobileIron will be introducing Firebase Cloud Messaging (FCM) with MobileIron Core and Mobile@Work Android prior to the GCM end of life. MobileIron Core offered FCM support in version 10.1, and Mobile@Work Android client will introduce support in March 2019.

Note that Mobile@Work Android client can ONLY support FCM or GCM but not both protocols, so once the March 2019 Mobile@Work client is released, any Core servers before 10.1 or earlier will no longer have push notification access to the managed Android device.

Recommendations: Please update MobileIron Core (to MobileIron Core 10.1) before the end of March 2019. When Mobile@Work is updated in Mar 2019, please update all clients to that version.

Google HTTP Batch Endpoints

For Android enterprise devices (managed devices, work profile, managed devices with work profile) using apps and app configs delivered from Google Play, MobileIron Core relies on APIs from Google Play using JSON-EPC and Global HTTP Batch to perform bulk operations such as app installs, delivering app configs and other operations. The existing APIs are being deprecated in favor of new endpoints by Google.

Impact: After the EOL of the existing batch endpoints, any MobileIron Core servers 10.0 or earlier will not be able to perform bulk operations on Google Play such as push installs, app config updates, and others. This affects all Android enterprise devices - managed devices, work profile and managed devices with work profile. Device admin and Knox workspace deployments are not affected as they do not rely on Play EMM APIs.

End of Life date: March 25, 2019

Mitigation: MobileIron Core was updated to be compatible with the new Google endpoints for batch operations at the end of Q3 2018. There is no Mobile@Work dependency.

Recommendation: Please update to MobileIron Core 10.1 before the End of Life date. http://pages.mobileiron.com/wI9HWCcOl0010tIG0070S04

👍 Woody, Phil Hackett
Nils Gerloff (nils.gerloff@your-side.de)
2019-03-05 11:28:03

@Nils Gerloff has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-03-07 09:06:31

How do I have to add a Sharepoint correctly within Docs@Work? If I add the fqdn of the Sharepoint like https://sharepoint.domain.com I get access, but I don‘t see our relevant shares like https://sharepoint.domain.com/managment/files.. Is there a way to map the root fqdn and still browse every document within Docs@Work? If we open up our Sharepoint in a browser we can search for every document, but not within Docs@Work. Do I need to enable webview within D@W?

Luc (luc.rames@digitaldimension.fr)
2019-03-07 09:50:38

Hi, do you know if MobileIron can manage phones in Windows 10 IoT? and if so how? if you have any examples I am interested

Woody (eric.woodland@trust.tc)
2019-03-07 21:26:51

*Thread Reply:* So, are these machines running the Windows 10 or Windows Phone platform?

Jason Bayton (jason@bayton.org)
2019-03-07 15:35:58

Might anyone know if the recent TLS changes also apply to the connector?

Mark Vonk (mark.vonk@dahvo.com)
2019-03-07 15:49:05

From Connector to Core: yes

Mark Vonk (mark.vonk@dahvo.com)
2019-03-07 15:49:23

From Connector to ldap, obviously no

Jason Bayton (jason@bayton.org)
2019-03-07 15:54:00

Perfect thanks

Nafes Choudhry (choudhry.nafes@gmail.com)
2019-03-07 19:05:25

@Nafes Choudhry has joined the channel

macbentosh (benbergthold@gmail.com)
2019-03-07 21:23:26

quick semi emergency question for @here how do you force a quarantine?

NicolasR (raison_nicolas@me.com)
2019-03-07 21:26:45

Create a compliance rule / group that put a device in quarantine when the Status = lost and apply to all the devices. Then select your device and set the lost mode ;-)

NicolasR (raison_nicolas@me.com)
2019-03-07 21:26:56

Also useful for many use cases of lost device

macbentosh (benbergthold@gmail.com)
2019-03-07 21:37:12

so weird locked both of her devices but it only q’d one…

macbentosh (benbergthold@gmail.com)
2019-03-07 21:40:25

it shows both devices in the condition (“common.status” = “LOST”) AND “common.retired” = false

macbentosh (benbergthold@gmail.com)
2019-03-07 21:40:33

but only one in the violations

macbentosh (benbergthold@gmail.com)
2019-03-07 21:45:49

any idea why it wont kick her other device in?

NicolasR (raison_nicolas@me.com)
2019-03-07 22:55:02

A device that was not lost was shown in the result of the compliance rule?

Praneet Gupta (praneetgupta.28@gmail.com)
2019-03-08 10:01:36

@Praneet Gupta has joined the channel

Luc (luc.rames@digitaldimension.fr)
2019-03-08 12:44:56

Hello, do you know if there is a way to authenticate a user on a proxy after tunneling on a sentry, kerberos certificates ... ?

NicolasR (raison_nicolas@me.com)
2019-03-08 13:16:43

*Thread Reply:* Nope.

NicolasR (raison_nicolas@me.com)
2019-03-08 13:17:27

*Thread Reply:* You can just add Context header but Context Header doesn’t work with TCP Tunnel and IP Tunnel

macbentosh (benbergthold@gmail.com)
2019-03-08 16:26:32

any tips on how to block all devices on or off network from hitting a URL?

NicolasR (raison_nicolas@me.com)
2019-03-08 16:53:47

What’s the use case?

NicolasR (raison_nicolas@me.com)
2019-03-08 16:53:51

and which OS?

macbentosh (benbergthold@gmail.com)
2019-03-08 19:41:34

why does mobileiron force the limit adult content when i just want to block one url?

Mark Vonk (mark.vonk@dahvo.com)
2019-03-08 20:43:46

It’s not Mobileiron; this is how the content filter payload works. Check it with the Apple Configurator or the Apple configuration Pauli’s documentation. When you want to blacklist URLs you must use the built-in Limit adult content setting

aaron (aaron@groundctl.com)
2019-03-09 11:20:58

The Configuration Profile Reference does permit a list of blacklisted URLs. MobileIron chose not to implement that. However you can create your own config profile and distribute that if you like.

Mark Vonk (mark.vonk@dahvo.com)
2019-03-09 14:24:15

Are you sure? The blacklisted URLs are possible, but only with the adult content setting. This is exactly like Apple Configurator works also.

aaron (aaron@groundctl.com)
2019-03-09 23:03:14

Aww, @Mark Vonk, just because Configurator can’t do it, doesn’t mean it isn’t possible!

aaron (aaron@groundctl.com)
2019-03-09 23:03:45
aaron (aaron@groundctl.com)
2019-03-09 23:04:42
aaron (aaron@groundctl.com)
2019-03-09 23:05:39

You can edit that .mobileconfig file to your liking, and install on any supervised device.

👍 Mark Vonk, Kiran Patel
MichaelM21 (mike.miller815@yahoo.com)
2019-03-11 09:23:36

How can I increase the timeout for Core Admin Portal on Core 10.2.0.0? Seems a bit shorter than with previous versions.

Mark Vonk (mark.vonk@dahvo.com)
2019-03-11 11:42:09

*Thread Reply:* You can change it in the system settings to 90 minutes.

🙏 MichaelM21
Nils Gerloff (nils.gerloff@your-side.de)
2019-03-11 09:27:58

Hi, i've a question about APIv2... I try to get user upn + custom user attribute. i have this API GET call, but i does not receifed any content... has someone an idea? https://[COREURL]/api/v2/devices?adminDeviceSpaceId= 1&field=user.displayname,custom.user.[Attribate Name],user.ldap.upn&sortField=user.display_ name

Nils Gerloff (nils.gerloff@your-side.de)
2019-03-11 11:36:40

Thanks, the issue is resolved... It's a XPOST query... 😛

mahiroux (mhyb.mk@gmail.com)
2019-03-11 15:56:36

Has anyone here deployed Azure information protection with Mobile iron MDM?

NicolasR (raison_nicolas@me.com)
2019-03-11 15:57:18

yup

NicolasR (raison_nicolas@me.com)
2019-03-11 15:57:31

what do you need?

mahiroux (mhyb.mk@gmail.com)
2019-03-12 04:35:27

*Thread Reply:* @NicolasR HI,iOS users are unable to open protected documents when App protection policies(Graph API) are applied.We are using iOS native mail client and we also have Access(AasS).Also,i am facing issue configuring policies to stop multi identity .I have configured values as shown below, IntuneMAMUPN --- $USER_UPN$ intuneMAMAllowedAccountsOnly ---Enabled

mahiroux (mhyb.mk@gmail.com)
2019-03-13 18:26:46

*Thread Reply:* @NicolasR Are you using Outlook or any other email clients on devices?

JmB (jean-marc.bichaud@econocom.com)
2019-03-11 17:47:10

Hello,

Did anyone knows if it is possible to revoke certificates of a specific list of users (csv or label) with API or Assemble ? We just need to regenerate the certificates because of users’ UPN format change. The certificates are issued by an external authority (NDES). Thanks you

Mark Vonk (mark.vonk@dahvo.com)
2019-03-11 18:00:22

If the UPN changes, the Core should pick up the change and generate and push new ones. What are you after by doing it manually?

Mark Vonk (mark.vonk@dahvo.com)
2019-03-11 18:09:41

Depending on the use case, it seems you can use Assemble to do it: https://help.mobileiron.com/s/feed/0D53400004dlW8kCAE

JmB (jean-marc.bichaud@econocom.com)
2019-03-11 18:47:40

Hello Mark, thank for your answer. Apparently, Core is regenerating certificates pretty randomly (colleague feedback). Our customer need more precision in his timing. I don't know if it's just me but i cannot open your link on assemble (Error page : Chatter is not enabled)

Mark Vonk (mark.vonk@dahvo.com)
2019-03-11 18:51:17

The link works for me, just opened it on a different device. But MI is busy moving to the new system, so I guess some things don’t work well yet.

Mark Vonk (mark.vonk@dahvo.com)
2019-03-11 18:51:31

Go to help.mobileiron.com and search for “Assemble/API - Revoke certificate from core”

Mark Vonk (mark.vonk@dahvo.com)
2019-03-11 18:51:53

In the comments (last one) you will see a comment with a working script (somewhat).

Mark Vonk (mark.vonk@dahvo.com)
2019-03-11 18:56:11

If you only change the UPN, you should be OK with Core. However, due to the nature of the LDAP implementation in Core, if you change more AD user object attributes, some things can break. For instance if the CN changes of a user object (last name changes for example) the relationship between the device owner and the LDAP object is disconnected. So in that case, MobileIron will never update the device if anything changes for that user (group membership, certificates, etc.)

👍 JmB
Elrod (michelr@cdw.com)
2019-03-12 14:00:22

@Elrod has joined the channel

JmB (jean-marc.bichaud@econocom.com)
2019-03-13 09:06:46

Hello MI Team, Anyone now how to force a LDAP Sync on Core ? I have a 30 Sync intervall but i need to force it for testing purpose. Thanks 🙂

Phil Hackett (phil.hackett83@gmail.com)
2019-03-13 09:08:34

*Thread Reply:* Devices & Users > Users > Resync with LDAP

👍 JmB
JmB (jean-marc.bichaud@econocom.com)
2019-03-13 09:14:48

*Thread Reply:* Nice, was looking on the Service > LDAP tab 🙂

Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-13 09:15:11

go to USERS and click on sync 🙂

Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-13 09:15:16
Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-13 09:16:45

you should monitor the sync on MICS in case you reach the sync threshold set in the ldap preferences (if you enabled sync discard).

👍 JmB, NicolasR, Woody
Batish (batish.momin@gmail.com)
2019-03-13 09:22:14

@Batish has joined the channel

NicolasR (raison_nicolas@me.com)
2019-03-13 16:31:58

FYI, since KB move, you can bind AE here: https://help.mobileiron.com/s/android-enterprise-enrollment

👏 Jason Bayton, MichaelM21
👍 Woody
Woody (eric.woodland@trust.tc)
2019-03-13 19:19:25

Ah, okay. Looks like they followed the trend and shifted everything over to help.

NicolasR (raison_nicolas@me.com)
2019-03-13 20:55:56

Everything is now on Salesforce. Helps with better search engine they said and link to cases

👍 Woody
macbentosh (benbergthold@gmail.com)
2019-03-14 16:57:23

is there a wildcard for lables?

macbentosh (benbergthold@gmail.com)
2019-03-14 16:57:29

Labels?

Andrew Olpin (andy@olpin.us)
2019-03-14 17:04:34

Why would you need a wildcard for labels?

Andrew Olpin (andy@olpin.us)
2019-03-14 17:04:52

What are you attempting?

macbentosh (benbergthold@gmail.com)
2019-03-14 17:10:12

I want a label with all ips starting with 10.

Andrew Olpin (andy@olpin.us)
2019-03-14 17:11:21

So you want an advanced search label with wildcards. Interesting, but basing labels off of IP is tough. Since the devices only check in every 4 hours, you’ll have devices that are still in the label for hours after they’ve left that network.

Andrew Olpin (andy@olpin.us)
2019-03-14 17:11:46

I don’t remember if wildcards are supported in advanced search, and I can’t test it where I’m at. Anyone else?

Almar Diehl (almar.diehl@blaud.com)
2019-03-14 17:30:11

Sure : “common.ip_address” starts with “10.”

👍 Mark Vonk
macbentosh (benbergthold@gmail.com)
2019-03-14 17:54:52

*Thread Reply:* sorry would like it !=10

Mark Vonk (mark.vonk@dahvo.com)
2019-03-14 17:30:13

"Starts with 10." Should work if "starts with" is a valid parameter for the IP address

Andrew Olpin (andy@olpin.us)
2019-03-14 17:38:22

I’d forgotten “starts with” How quickly we forget....

macbentosh (benbergthold@gmail.com)
2019-03-14 17:55:13

sorry should have been does not start with 10

macbentosh (benbergthold@gmail.com)
2019-03-14 17:55:36

either way past that….How do you set it so that per app vpn only happens when they are off the network?

Mark Vonk (mark.vonk@dahvo.com)
2019-03-14 18:01:15

In the Per App VPN connection configuration. Don't need a label to do that... Besides that, a lot if home networks use 10.** so that would fail anyway

Andrew Olpin (andy@olpin.us)
2019-03-14 18:06:11

And the delay would kill you. You’d be on the corporate network for several hours before the policy changed, then home for several hours if it changed back.

Andrew Olpin (andy@olpin.us)
2019-03-14 18:06:42

Any way you can convince your network guys to shunt all mobile devices to an “internet only” connection? That way you don’t have to worry about personal apps on your corporate network.

macbentosh (benbergthold@gmail.com)
2019-03-14 18:47:46

ip and the vpn are different issues

macbentosh (benbergthold@gmail.com)
2019-03-14 18:47:49

IP is done

macbentosh (benbergthold@gmail.com)
2019-03-15 15:14:43

what does mobileiron offer in the way of reporting?

Woody (eric.woodland@trust.tc)
2019-03-15 15:36:48

@macbentosh in general, or something specific you’re looking to obtain?

macbentosh (benbergthold@gmail.com)
2019-03-15 15:40:04

not sure..Just got told to ask MI about a reporting system…

NicolasR (raison_nicolas@me.com)
2019-03-15 15:50:34

*Thread Reply:* Multiple reporting methods depending on your needs from the most basic one to the most advanced. From the simpler to the best/complete reporting experience 1 - Embedded dashboards 2 - Assemble (kind of End of life by the way...) 3 - Reporting Database + BI Tool 4 - API - requires you to build your own scripts 5 - Third party IronWorks product

👍 Woody, MichaelM21
Woody (eric.woodland@trust.tc)
2019-03-15 16:09:09

*Thread Reply:* @NicolasR = Rockstar!

NicolasR (raison_nicolas@me.com)
2019-03-15 16:09:36

*Thread Reply:* 😉

Woody (eric.woodland@trust.tc)
2019-03-15 16:10:07

*Thread Reply:* BTW, I know they may be trying to EOL Assemble… but there is still a lot of that deployed/running. Might be in their best interest to maintain support if they’re being mindful of customer satisfaction

NicolasR (raison_nicolas@me.com)
2019-03-15 16:10:47

*Thread Reply:* at least MobileIron is not providing new features on that

👍 Woody
Woody (eric.woodland@trust.tc)
2019-03-15 18:08:25

*Thread Reply:* @NicolasR that’s understandable. While it wasn’t perfect, it certainly helped with a fair amount of cleanup and automation, etc

Mark Vonk (mark.vonk@dahvo.com)
2019-03-15 18:14:45

*Thread Reply:* Also, they might need to expose more in the API and document it better to be a complete replacement for Assemble.

👍 Woody
Woody (eric.woodland@trust.tc)
2019-03-15 19:13:19

*Thread Reply:* They need to both incorporate more features from Assemble into the base code of their products AND expose similar functions (and supporting documentation) in regards to the API

🤞 NicolasR
Andrew Olpin (andy@olpin.us)
2019-03-16 00:12:18

*Thread Reply:* Once Jack Zarris left, there really was no one who could maintain or add new features.

Woody (eric.woodland@trust.tc)
2019-03-18 14:19:00

*Thread Reply:* True @Andrew Olpin

Ladislav Blazek (ladislav@lblazek.cz)
2019-03-15 17:39:07

@Ladislav Blazek has joined the channel

Jason (jasonh@bridgeway.co.uk)
2019-03-15 18:36:10

@macbentosh You have the dashboard view, which gives you a snapshot in time - this moment’s stats for the various charts/graphs in that page

Jason (jasonh@bridgeway.co.uk)
2019-03-15 18:37:07

@macbentosh You have MobileIron Monitor, which gives you CPU, memory and disc performance data for operational network/infrastructure monitoring.

Jason (jasonh@bridgeway.co.uk)
2019-03-15 18:37:30

@macbentosh You have a syslog feed for importing into your existing SIEM

Jason (jasonh@bridgeway.co.uk)
2019-03-15 18:37:50

@macbentosh You have a Splunk module for doing the same into Splunk

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2019-03-15 18:38:33

Other than that, you have to look at ecosystem partners, e.g. IronWorks, or roll your own with the inbuilt APIs.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2019-03-15 18:41:15

Full disclosure - we are the organisation behind IronWorks, our senior management and operational intelligence reporting solution for the MobileIron platform.

Jason (jasonh@bridgeway.co.uk)
2019-03-15 18:42:04

Sorry, I’ve just realised I should have replied as a thread.

Jason (jasonh@bridgeway.co.uk)
2019-03-15 18:42:08

Hope this helped?

macbentosh (benbergthold@gmail.com)
2019-03-15 19:00:00

sent my boss the info for ironworks

👍 NicolasR
NicolasR (raison_nicolas@me.com)
2019-03-15 23:50:47

After finally 4 people trying to convince him to go work with ironworks, macbentosh will take it. @Jason don’t forget our sales bonus 😂👌

👍 Woody, MichaelM21
😆 JP Guldfeldt, mahiroux
Duncan (duncan@govalux.com)
2019-03-16 20:58:04

Does anyone know how I should request a username/password for being able to download MI software updates? I have a couple of (v9.2.1.5) Sentries in our isolated zone that refuse to update when I just click on the 'Check Updates' button. Therefore I want to try via CLI but that requires a username/password. I did check with our support partner but they don't seem able to help me.

Almar Diehl (almar.diehl@blaud.com)
2019-03-16 21:27:14

*Thread Reply:* Just create a support case and they will send you the credentials.

Rajesh Kumar (rajes20@gmail.com)
2019-03-17 01:31:16

*Thread Reply:* So from where you downloaded the sentry iso impage file. ? For downloading the image file on your computer, i am sure, it prompted to enter the username and pwd to download the software. You can use that same credentails to update into GUI or CLI. But make sure correct port is open.

Ladislav Blazek (ladislav@lblazek.cz)
2019-03-17 07:17:42

*Thread Reply:* When you bought MI licenses they sent you download credentials. Do you know who is the main contact for your company? If not just create support case with MI. But good partner should help you with this situation.

👍 Rajesh Kumar
MichaelM21 (mike.miller815@yahoo.com)
2019-03-18 13:55:13

Does anyone know what is the highest number for Passcode Expiry on Core, can‘t find anything in the guide. Trying to use 30 days.

NicolasR (raison_nicolas@me.com)
2019-03-18 17:36:36

*Thread Reply:* In the security policy you mean?

MichaelM21 (mike.miller815@yahoo.com)
2019-03-18 18:37:06

*Thread Reply:* Ah sorry was not clear enough - within Core Admin Portal under Settings / User & Devices / Registration / Passcode Expiry (hours)

Almar Diehl (almar.diehl@blaud.com)
2019-03-18 18:51:59

*Thread Reply:* Maximum is 4320 hours (180 days).

😳 MichaelM21, Woody
🙏 MichaelM21, Woody
MichaelM21 (mike.miller815@yahoo.com)
2019-03-18 18:53:06

*Thread Reply:* Thank you Almar 👍:skintone2:

Jason Bayton (jason@bayton.org)
2019-03-19 11:01:16

hello folks, might anyone have powerpoint/similar enrolment guides for MobileIron Cloud, for iOS DEP/non-DEP by chance?

Jason Bayton (jason@bayton.org)
2019-03-19 15:59:51

I have no access to iOS devices, and no one has created any internally.. so figured I’d look to this fine community 😎 (@here)

macbentosh (benbergthold@gmail.com)
2019-03-19 16:00:38

yes

macbentosh (benbergthold@gmail.com)
2019-03-19 16:00:44

or you can just dep them.

Jason Bayton (jason@bayton.org)
2019-03-19 16:02:34

There’s a demand for enrolment guides utilising DEP also.. 😄

Mark Vonk (mark.vonk@dahvo.com)
2019-03-19 16:05:13

What do you mean with guides? Typically, the guides I have (made) are customer specific. So not really to be shared

Jason Bayton (jason@bayton.org)
2019-03-19 16:07:06

*Thread Reply:* Everything up to the point of putting in credentials. Screenshots of the setup of the device. I appreciate it’ll vary with DEP per enrolment profile, but I can write around that.

Mark Vonk (mark.vonk@dahvo.com)
2019-03-19 16:10:31

*Thread Reply:* This issue is, for example, that the Apple Assistant will vary also, on the choices made. Some companies will skip certain screens, others will not skip them. Screens like the MDM enrolment will show company names. Other documentation will show how to connect to the corporate Wi-Fi (if needed). hence, there is a lot of customisation typically.

Jason Bayton (jason@bayton.org)
2019-03-19 16:11:21

*Thread Reply:* well with a non-DEP guide I can remove per the DEP profile and hopefully that’ll be close enough 🙂

Mark Vonk (mark.vonk@dahvo.com)
2019-03-19 16:05:37

And what is that for nonsense, no iOS device?

Jason Bayton (jason@bayton.org)
2019-03-19 16:06:08

*Thread Reply:* We haven’t met before, but I only focus on Android normally 😛

😕 Mark Vonk
macbentosh (benbergthold@gmail.com)
2019-03-19 16:15:39

little crud due to how confluance exports it

Jason Bayton (jason@bayton.org)
2019-03-19 16:18:24

This is still Core @macbentosh 😛

macbentosh (benbergthold@gmail.com)
2019-03-19 16:18:40

for dep it isnt different

macbentosh (benbergthold@gmail.com)
2019-03-19 16:18:42

correct?

Mark Vonk (mark.vonk@dahvo.com)
2019-03-19 16:21:41

M@W versus Go app

macbentosh (benbergthold@gmail.com)
2019-03-19 16:21:52

but this is dep..

macbentosh (benbergthold@gmail.com)
2019-03-19 16:22:02

not app in setup assistant

MichaelM21 (mike.miller815@yahoo.com)
2019-03-19 16:32:56

Is there a way to modify MTU size for Sentry?

Russell Mohr (rmohr@mobileiron.com)
2019-03-19 17:38:30

Plenty of stuff in the DEP center of excellence

Russell Mohr (rmohr@mobileiron.com)
2019-03-19 17:38:38

some of it is dated..

Russell Mohr (rmohr@mobileiron.com)
2019-03-19 17:38:49

some videos too

mahiroux (mhyb.mk@gmail.com)
2019-03-20 05:40:28

Is there any configuration or plist for iOS and Android so that we can force users to login to our ‘On Premise’ Sharepoint? server

Mark Vonk (mark.vonk@dahvo.com)
2019-03-20 07:23:36

With the sharepoint app?

mahiroux (mhyb.mk@gmail.com)
2019-03-20 07:25:43

yes

Mark Vonk (mark.vonk@dahvo.com)
2019-03-20 07:33:15

Afaik the Sharepoint app does not have managed configs (android or iOS)

JP Guldfeldt (jpguldfeldt@hotmail.com)
2019-03-20 13:13:11

Docs@Work problem; When a file is open from a PC, it cannot be opened as "read only" in docs @ work. Does anyone know about a solution to this? Runs Sentry 9.2.1 and Docs @ Work 2.9.0.59. error on Sentry server "STATUSSHARINGVIOLATION" and "ERROR Cannot connect to CIFS" in Docs @ Work. Fileshare is Linux (samba) CIFS and SMB 2.1 support.

Nick (nickdiaz@gmail.com)
2019-03-20 20:30:03

@Nick has joined the channel

Sean (kenney.seanp@gmail.com)
2019-03-20 20:46:54

@Sean has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-03-21 08:46:52

Is there a way to use Intune Conditional Access for Exchange/Sharepoint online with MobileIron enrolled devices e.g only devices enrolled in MobileIron can access these services? I doubt it

NicolasR (raison_nicolas@me.com)
2019-03-21 08:56:03

With MobileIron Access yes 🙂

👍 Woody, mahiroux
NicolasR (raison_nicolas@me.com)
2019-03-21 08:56:17

otherwise Microsoft doesn’t allow MI to do this

NicolasR (raison_nicolas@me.com)
2019-03-21 08:56:30

but with Access it works fine

Ladislav Blazek (ladislav@lblazek.cz)
2019-03-21 09:22:09

It also depends on you authentication setup. To be able to deploy Access you need to have federated authentication (hybrid setup) with AD FS or other IdP. Access will not help you in case of Seamless SSO or Azure AD accounts only.

👍 Woody
MichaelM21 (mike.miller815@yahoo.com)
2019-03-21 09:22:45

Yes we ADFS setup with O365

MichaelM21 (mike.miller815@yahoo.com)
2019-03-21 09:23:48

Looking only for a way to leverage the built-in Conditional Access Policies with our MobileIron Enrolled devices, which looks to be the case that this is not possible 😜

MichaelM21 (mike.miller815@yahoo.com)
2019-03-21 09:25:16

And with Access, we use the Conditional Access Policies with Access of course, not with Azure Conditional Access. I get it that Access can do it.. which I believe is the only solution for MI enrolled devices (or also other EMMs)

Ladislav Blazek (ladislav@lblazek.cz)
2019-03-21 09:30:59

Yep, there is no other option for MI. VMware WSO has Identity Manager for the same purpose.

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-03-21 09:31:25

Thank you!

👍 Ladislav Blazek
macbentosh (benbergthold@gmail.com)
2019-03-21 16:59:48

alright @here we are doing 802.1x wifi how does MI get the users new password when using the $PASSWORD$ variable for the config?

NicolasR (raison_nicolas@me.com)
2019-03-21 17:01:39

1st: Please don’t use $PASSWORD$ feature... I don’t even know how that can still exist 😱😆 2nd: The password is hashed/sent to CORE and stored on CORE during In-App registration process. The password is updated when a user successfully logs in to the CORE Console either on the Admin side or User portal side

👍 Woody, Peter Mohr
NicolasR (raison_nicolas@me.com)
2019-03-21 17:02:22

you should better use cert based authentication even if it’s a Local CA

NicolasR (raison_nicolas@me.com)
2019-03-21 17:02:34

that far more secure and smooth for the end-user

macbentosh (benbergthold@gmail.com)
2019-03-21 17:03:41

and how would I go about setting that up…That would have to be allowed by our network team correct

NicolasR (raison_nicolas@me.com)
2019-03-21 17:04:46

Well, depending on the 802.1x server it is quite straight forward setup

NicolasR (raison_nicolas@me.com)
2019-03-21 17:05:01

but yes, they need to trust your CA & check your CRL (optional)

Woody (eric.woodland@trust.tc)
2019-03-21 17:08:12

@macbentosh who’s your WiFi vendor?

macbentosh (benbergthold@gmail.com)
2019-03-21 17:08:16

cisco

Woody (eric.woodland@trust.tc)
2019-03-21 17:08:23

Happen to have ISE in place?

macbentosh (benbergthold@gmail.com)
2019-03-21 17:09:54

@Woody don’t believe so

Woody (eric.woodland@trust.tc)
2019-03-21 17:11:05

See if you’re entitled to it. There’s a clean integration between it and Core/Cloud

Woody (eric.woodland@trust.tc)
2019-03-21 17:11:06

https://marketplace.mobileiron.com/listing/identity%20services%20engine%20(ise)

marketplace.mobileiron.com
macbentosh (benbergthold@gmail.com)
2019-03-21 17:11:43

prob can just need asomething going today so peoples accounts stop locking out

Woody (eric.woodland@trust.tc)
2019-03-21 17:12:45

Well, if WiFi isn’t functioning on a device it’s going to fall back to Cellular. Do most of these people have cellular service?

macbentosh (benbergthold@gmail.com)
2019-03-21 17:12:54

yes

macbentosh (benbergthold@gmail.com)
2019-03-21 17:13:04

but we need them on our prod network

Woody (eric.woodland@trust.tc)
2019-03-21 17:13:19

If so, send an email reminding them to change their password for that WiFi profile

Woody (eric.woodland@trust.tc)
2019-03-21 17:13:31

If they don’t have email--Perhaps start a call tree? 😆

macbentosh (benbergthold@gmail.com)
2019-03-21 17:13:31

going to keep $password$ for service accounts with passwords that dont expire

macbentosh (benbergthold@gmail.com)
2019-03-21 17:13:56

yes but how do they change it on device?

macbentosh (benbergthold@gmail.com)
2019-03-21 17:14:01

it is not prompting

macbentosh (benbergthold@gmail.com)
2019-03-21 17:14:09

so i need them to login on the app

Woody (eric.woodland@trust.tc)
2019-03-21 17:14:39

You’d most likely need to update the profile and push it with a null value for P/W

Woody (eric.woodland@trust.tc)
2019-03-21 17:14:50

Thus allowing the user to enter

Woody (eric.woodland@trust.tc)
2019-03-21 17:15:15

Is it a singular config for the entire joint, or split up based on platform/ownership/etc?

NicolasR (raison_nicolas@me.com)
2019-03-21 17:19:17

in CORE is you have a static password that you want to set and send to the device you can use $NULL$ variable and in the field a the right of the password field you can put your password in.

NicolasR (raison_nicolas@me.com)
2019-03-21 17:19:40

but it’s the same password for everyone who gets the config

NicolasR (raison_nicolas@me.com)
2019-03-21 17:19:47

is it what you are looking for?

macbentosh (benbergthold@gmail.com)
2019-03-21 17:31:19

what will prompt?

NicolasR (raison_nicolas@me.com)
2019-03-21 17:32:07

nothing if the password is correct

Woody (eric.woodland@trust.tc)
2019-03-21 18:19:34

So @macbentosh is the profile that’s going out specifying the user’s ID (e.g $USERID) and $PASSWORD$, but you now want them to have the ability to enter their password by hand (because the stored password is failing)?

macbentosh (benbergthold@gmail.com)
2019-03-21 18:51:26

*Thread Reply:* Yes

Andrew Olpin (andy@olpin.us)
2019-03-22 11:58:26

*Thread Reply:* That's going to be up to iOS to manage. You get this behavior with native email because iOS is smart enough to say "hmm...the password isn't working, let me ask the user." Mobileiron doesn't do it.

Ios would need the same behavior for wireless authentication passwords, so when they expire, the user is prompted.

mahiroux (mhyb.mk@gmail.com)
2019-03-21 18:19:51

I am unable to open AIP protected documents using AIP viewer on iOS devices.I am using Per App VPN and using Split tunnel on Access(AasS).The error code i receive is FSCRTERRCODEINVALID_LICENSE. Has someone came across this issue during Microsoft AIP deployment using MI MDM?

Woody (eric.woodland@trust.tc)
2019-03-21 18:21:11

@mahiroux is the license key being pushed to the AIP Viewer via MobileIron? Perhaps the one you’re pushing out is invalid thus the error?

mahiroux (mhyb.mk@gmail.com)
2019-03-21 18:48:30

@Woody I am not pushing any license keys for AIP Viewer App.Other file types such as ptxt or pjpeg are working fine.

Woody (eric.woodland@trust.tc)
2019-03-21 18:49:18

Does AIP Viewer have to connect to a licensing server to validate/utilize that feature?

mahiroux (mhyb.mk@gmail.com)
2019-03-21 18:56:16

@Woody I am not quite sure about that.I had logged a case with Microsoft.As per their feedback,this seems to be a known issue however i could not digest that completely.

Woody (eric.woodland@trust.tc)
2019-03-21 18:59:04

okay @mahiroux. Was this configured prior to engaging access (and did it work)? If yes, did you still have the per-app VPN engaged at that time?

mahiroux (mhyb.mk@gmail.com)
2019-03-21 19:02:14

It was working with access in place with per-app VPN and split tunnel.

mahiroux (mhyb.mk@gmail.com)
2019-03-21 19:11:26

I am currently attending AIP live webinar and posted this question and the answer is below,

Woody (eric.woodland@trust.tc)
2019-03-21 19:33:25

Ah, okay then @mahiroux

Woody (eric.woodland@trust.tc)
2019-03-21 19:33:29

Good to know!

Woody (eric.woodland@trust.tc)
2019-03-21 19:33:41

#ItsYouNotMe

Woody (eric.woodland@trust.tc)
2019-03-21 19:33:47

er, #ItsThemNotYou

😄 Jason Bayton, mahiroux, NicolasR
AndersH (anders.hermansson@evry.com)
2019-03-21 21:45:52

@AndersH has joined the channel

macbentosh (benbergthold@gmail.com)
2019-03-25 13:25:08

Anyone setup MI with a SEIM?

Ladislav Blazek (ladislav@lblazek.cz)
2019-03-25 14:16:39

*Thread Reply:* I expect you mean SIEM. What SIEM software do you use? Generally speaking MI supports Syslog forwarding.

macbentosh (benbergthold@gmail.com)
2019-03-25 14:22:27

*Thread Reply:* IBM i believe

macbentosh (benbergthold@gmail.com)
2019-03-25 14:22:48

*Thread Reply:* yes SIEM….still early….On a MONDAY 😩

NicolasR (raison_nicolas@me.com)
2019-03-25 14:48:50

*Thread Reply:* yep I did it in the past

Ladislav Blazek (ladislav@lblazek.cz)
2019-03-25 14:51:32

*Thread Reply:* IBM QRadar AFAIK doesn’t have templates for MobileIron. You need to use custom parsing. Except of that it is just simple config in System manager = enable Syslog forwarding + define what should be forwarded. For Sentrys you need to enable Audit log forwarding via CLI.

👍 Woody
macbentosh (benbergthold@gmail.com)
2019-03-25 16:10:47

any idea why compliance actions show a device in the filter but not when viewing the violations?

NicolasR (raison_nicolas@me.com)
2019-03-25 16:30:17

Because you use the old fashioned compliance triggers

NicolasR (raison_nicolas@me.com)
2019-03-25 16:30:40

Compliance tab is for Compliance actions rules/dedicated menu

NicolasR (raison_nicolas@me.com)
2019-03-25 16:31:09

If nothing appears it’s security policy

MichaelM21 (mike.miller815@yahoo.com)
2019-03-25 16:55:27

I am pretty sure this is a stupid question, but is there a way to trigger the start of an iOS app remotely?

Andrew Olpin (andy@olpin.us)
2019-03-25 16:57:53

*Thread Reply:* You can send an APNS message to wake it up, but the app needs to be launched at least once by the user for that to work.

Andrew Olpin (andy@olpin.us)
2019-03-25 16:58:02

*Thread Reply:* And that's all internal to the app

Andrew Olpin (andy@olpin.us)
2019-03-25 16:58:06

*Thread Reply:* MI can't do it.

Ladislav Blazek (ladislav@lblazek.cz)
2019-03-25 16:59:56

*Thread Reply:* The only way (I am aware of) to launch some app is in single app mode after device restart. Otherwise not possible with any MDM.

Andrew Olpin (andy@olpin.us)
2019-03-25 17:02:21

*Thread Reply:* If the app supports the URL method, you can call the URL to open the app, but:

  • the user has to click on "open" and will be prompted.
  • there's no way, AFAIK, that any of the MDM will accept a generic "run this URL" command
👍 Ladislav Blazek, MichaelM21
Ladislav Blazek (ladislav@lblazek.cz)
2019-03-25 17:09:23

*Thread Reply:* Yep, user interaction is needed.

Peter Mohr (pm@conscia.com)
2019-03-25 17:32:07

*Thread Reply:* Single App Mode would do the trick (but will lock the device into that app)

MichaelM21 (mike.miller815@yahoo.com)
2019-03-25 18:03:04

*Thread Reply:* And how would you do it with the URL method? API call? Assemble?

Andrew Olpin (andy@olpin.us)
2019-03-25 18:19:13

*Thread Reply:* You can't.

Andrew Olpin (andy@olpin.us)
2019-03-25 18:19:26

*Thread Reply:* The Mobileiron app would need to be set up to process a command to call the URL, which it is not.

Andrew Olpin (andy@olpin.us)
2019-03-25 18:20:09

*Thread Reply:* As far as I know, there is no way to force an app to open on iOS. We (lookout) have built some tricks with a VPN service we install on the device, but we can't force it to be opened.

Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-26 18:50:39

Hello all, today we have issues with Apps@Work on Android devices, when launching it we get a network error -1 or other codes. This does not happen on iOS. any ideas ? Could not find much on MI Help, Core 10.1.

Phil Hackett (phil.hackett83@gmail.com)
2019-03-26 19:13:03

*Thread Reply:* This is error is caused by Chrome v73.0. MI have told us that their should be fix coming in a future Mobile@Work client release. Our devices are enrolled as AE Work Profile, so we’re getting users to use the Managed Google Play Store...

Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-26 19:21:44

*Thread Reply:* arghhhh thanks a lot. unfortunately, it also happens with some Chrome 72 apparently. but the tip is good. the devices with the most issues have Chrome 73.

NicolasR (raison_nicolas@me.com)
2019-03-26 20:29:37

*Thread Reply:* @Pierre if happened with Chrome 72, please open case with logs!

Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-26 20:42:19

*Thread Reply:* already done Nico 🙂 of course

👍 NicolasR
Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-26 20:42:27

*Thread Reply:* device and showtechs

NicolasR (raison_nicolas@me.com)
2019-03-26 20:42:53

*Thread Reply:* I will ping Alex about that

MichaelM21 (mike.miller815@yahoo.com)
2019-03-26 19:52:53

MobileIron Core CBA for EAS with Office 365 without Sentry - the MI guide for Integration with O365 states that the values of email and user-id within the exchange config have to be $NULL$ because these values will be used from the cert. But using $NULL$ within Android Enterprise Email+ won‘t work - brings up a configuration error! So keep $EMAIL$ ?

Mark Vonk (mark.vonk@dahvo.com)
2019-03-26 20:02:44

$EMAIL$ for UserID and Email address should work just fine. Even when it’s actually retrieved from the client cert. It does not interfere.

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-03-26 20:13:06

Perfect that is what I thought. Just confused me to remove it from the exchange config.

AndersH (anders.hermansson@evry.com)
2019-03-28 13:31:40

Hi! Some android user get the error message: Security Alert. There is a problem with the provided server certificate. We are using MobileIron, any thoughts

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 13:42:53

Is the port 8080 for Local CA CRL still valid? Getting a connection refused

Martin Hillerö (martin.hillero@techstep.se)
2019-03-28 13:47:16

In the past i know that you some times got https 443 on the local ca CRL.

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 13:48:57

Yes well we have plenty of user certs where the CRL points to 8080, which looks like it is not reachable. Trying a telnet from the same Core subnet brings me a connection refused. I need the CRL for CBA with O365 EAS to be reachable, right?

AndersH (anders.hermansson@evry.com)
2019-03-28 13:58:42

*Thread Reply:* For this customer we are using MobileIron Cloud

Martin Hillerö (martin.hillero@techstep.se)
2019-03-28 13:58:56

*Thread Reply:* Yeah im pretty sure it needs to be reachable. Sounds like you need to create a ticket. I just went in and looked on my test server and my CRL points to https not http. Same if i create a new one.

Martin Hillerö (martin.hillero@techstep.se)
2019-03-28 13:59:04

*Thread Reply:* Ahh ok im talking about on-prem

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 13:59:32

*Thread Reply:* Yes me to, I am on Core

AndersH (anders.hermansson@evry.com)
2019-03-28 13:59:52

*Thread Reply:* I think its different on cloud..

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 14:00:50

*Thread Reply:* So you see https in the CRL, not 8080?

Martin Hillerö (martin.hillero@techstep.se)
2019-03-28 14:01:33

*Thread Reply:* yeah, on services->and then selecting the local ca i created.

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 14:02:51

*Thread Reply:* Ok.. Me too, only I have 8080 within the URL..

Martin Hillerö (martin.hillero@techstep.se)
2019-03-28 14:05:14

*Thread Reply:* Ok, then im out of answers 😞

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 14:05:36

*Thread Reply:* Thanks so far, I will raise a ticket with MI.

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 14:05:41

*Thread Reply:* 👍:skintone2:🍺

Martin Hillerö (martin.hillero@techstep.se)
2019-03-28 14:06:00

*Thread Reply:* 🍻

AndersH (anders.hermansson@evry.com)
2019-03-28 14:08:41

*Thread Reply:* 👍

Andrew Olpin (andy@olpin.us)
2019-03-28 15:01:26

*Thread Reply:* You should be able to disable port 8080 and force all of those connections to HTTPS. In the system manager, under ports is where you can change that. I'm assuming it would then update the CRL to be available over 443.

Andrew Olpin (andy@olpin.us)
2019-03-28 15:01:29

*Thread Reply:* Haven't tried myself

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 18:41:59

*Thread Reply:* There is no option within the System Manager to disable 8080 - I haven’t seen anything like that on Core 10.2

Andrew Olpin (andy@olpin.us)
2019-03-28 18:53:29

*Thread Reply:* Disabling 8080 has always been an option, it's recommended for production deployments to move those communications to 443.

Andrew Olpin (andy@olpin.us)
2019-03-28 18:53:41

*Thread Reply:* This is from an older MobileIron install guide, but...

Andrew Olpin (andy@olpin.us)
2019-03-28 18:53:42

*Thread Reply:* Checking Port Settings The default provisioning port is HTTP/8080. If you have signed certificates, you can select HTTPS/443, instead. To change the port settings:

  1. Log into the System Manager.
  2. Go to Settings > Port Settings.
  3. Select https.
  4. Click Apply > OK.
  5. Complete the next steps by going to the following sections.
  • See Setting Up Users.
  • See Installing Sentry.
  • See Configuring Atlas.
  • See Restricting Access to Core Components.
  • See Rolling Out MobileIron Core.
  1. Get MobileIron software updates, as necessary. See the System Manager Guide for the specific release for instructions about how to upgrade to the release.
MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 20:33:56

*Thread Reply:* Yes I agree but provisioning is enabled for 443, that is not the point

MichaelM21 (mike.miller815@yahoo.com)
2019-03-28 20:35:13

*Thread Reply:* The point is we have to use a new local CA because the old one is still 8080 which cannot be changed. So re-enroll 12.000 user certs because of that.

Andrew Olpin (andy@olpin.us)
2019-03-29 12:17:01

*Thread Reply:* Ah, I guess you're right. I hadn't thought about the fact that the CRL is encoded in the certificate. Yep, you may be stuck

Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-28 15:23:20

Hello,

Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-28 15:24:46

We are seing issues with Assemble after having activating SAML federation on our CORE. Some reports work, but most of the device reports are not working anymore. Anybody having the same issue ? We use a local service account on the core for this and it has all the rights.

NicolasR (raison_nicolas@me.com)
2019-03-28 21:05:24

*Thread Reply:* Known for reports that need UI access and not only API

NicolasR (raison_nicolas@me.com)
2019-03-28 21:06:07

*Thread Reply:* This will not be fixed at all

NicolasR (raison_nicolas@me.com)
2019-03-28 21:06:52

*Thread Reply:* You need to work only on assemble scripts that use API only (try to convert those scripts to API v2 in assemble)

Pierre (pierre.tabanous@digitaldimension.fr)
2019-03-29 06:15:59

*Thread Reply:* uuum ok, i have to check how to proceed.

noodl35 (david.v.nguyen@zurichservices.com)
2019-03-29 16:45:07

@noodl35 has joined the channel

macbentosh (benbergthold@gmail.com)
2019-03-29 19:25:22

how can I get cloud to stop asking for an app store password

Andrew Olpin (andy@olpin.us)
2019-04-01 02:58:06

*Thread Reply:* You mean on the device when the app is installed?

If that’s what you need, look into device based vpp.

Aamir (zihaan9@gmail.com)
2019-03-29 19:27:05

@Aamir has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-04-01 09:22:09

Has anyone a feature comparison between MobileIron VS Airwatch VS Sophos VS MAS 360?

Ladislav Blazek (ladislav@lblazek.cz)
2019-04-01 22:07:00

*Thread Reply:* Devil is in the details… these comparisons are usually quite misleading. It all depends on the specific use case and I would always recommend to do PoC for any bigger/complex deployment.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-02 19:06:52

*Thread Reply:* You are right. Thanks.

NicolasR (raison_nicolas@me.com)
2019-04-01 09:33:39

feature comparison is in the best case not up to date, in worst case incomplete...

NicolasR (raison_nicolas@me.com)
2019-04-01 09:33:56

you can compare on specific topics like Android Enterprise

NicolasR (raison_nicolas@me.com)
2019-04-01 09:34:22

these products now I have a large amount of feature each, so comparing becomes complex

noodl35 (david.v.nguyen@zurichservices.com)
2019-04-01 16:27:50

Anyone run into any weird quirks or issues when upgrading your sentry servers to 9.5? I'm about to do this to 3 of our sentry servers this Friday and for the most part they upgrade fine, but every now and then there's some weird issue that we run into that involves MobileIron support. So just asking around to see. Thanks.

Ladislav Blazek (ladislav@lblazek.cz)
2019-04-01 22:12:04

*Thread Reply:* What you mean by “weird issues”?

noodl35 (david.v.nguyen@zurichservices.com)
2019-04-02 21:34:37

*Thread Reply:* Our last core upgrade completed successfully but the MIFS never went back online. We had to restart Tomcat in order to get it back online. According to support, it was a bug. Our last app sentry upgrade messed up our cloud seviced apps in MobileIron Access. Turns out it that some our ciphers were removed so we had to put them to where they were and made sure they were all prioritized correctly. Just weird issues like that.

NicolasR (raison_nicolas@me.com)
2019-04-01 16:42:04

TLS 1.0 & 1.1 are removed by default in Sentry 9.5...

NicolasR (raison_nicolas@me.com)
2019-04-01 16:42:10

that could lead to issues

MichaelM21 (mike.miller815@yahoo.com)
2019-04-02 16:22:26

Is there a restriction for KNOX Workspace to prevent the export of business contacts from the workspace? (MobileIron Core)

Sragnob (maartinos@gmail.com)
2019-04-03 09:34:45

*Thread Reply:* Known issue for Samsung devices, the fault is in Samsungs application of GMS.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-04 07:39:55

*Thread Reply:* Do you have a reference for this?

NicolasR (raison_nicolas@me.com)
2019-04-02 20:23:27

AE workspace or legacy Knox workspace ?

Mark Vonk (mark.vonk@dahvo.com)
2019-04-03 08:00:52

It does not really matter. Assuming KNOX Workspace, the container. With Core < 10.3 (and M@W 10.3 both in beta) you can’t use KNOX Workspace (container) on AE, you can only use some KNOX device API’s (former SAFE) to turn on/off features within the AE work profile. As he mentions KNOX workspace, I assume it’s the container and thus based on Device Admin. Either way; for both cases, the APIs implemented in Core are the same. I am not sure if there is a KNOX API to disable this, but even if there is, this is not implemented in Core.

Kiran Patel (kiran@kiranpatel.net)
2019-04-03 13:46:27

Has anyone hear heard of any Apps@Work UI improvements for MI Core? Our end users hate it and I've been asking MI for YEARS to make it better. All they did was add a spinning circle when you tap install. Is MI Cloud's Apps@Work any better?

Philip Harrison (CWSI) (pharrison@cwsi.ie)
2019-04-03 15:16:37

Does anybody urgently know how to disable an ACL set in a Core System manager? Not a Portal ACL, but one of the traffic level ACLs. One has been added accidentally that is blocking all traffic, so need a way to disable it from the CLI :-(. Any help gratefully received...

Almar Diehl (almar.diehl@blaud.com)
2019-04-03 17:13:01

*Thread Reply:* Have you tried “service iptables stop” ?

Almar Diehl (almar.diehl@blaud.com)
2019-04-03 17:47:48

*Thread Reply:* Login with root access (misupport) and modify the file /mi/config-system/startup_config/systemconfig.xml

👍 Woody
Philip Harrison (CWSI) (pharrison@cwsi.ie)
2019-04-08 09:17:04

*Thread Reply:* Thanks Almar, stopping ipstables worked, tested it on another environment. In this particular case though the changes weren’t Saved, so getting the VM rebooted wiped out the ACLs and we were back to normal.

On the unsupported access, because the firewall rules were in place we could not SSH to the server, even from the VMware console to the local IP. Don’t suppose you know how to get access to the root prompt using the ‘devshell’ command we see MobileIron Support use do you? For future reference :-)

Almar Diehl (almar.diehl@blaud.com)
2019-04-08 09:40:32

*Thread Reply:* You can request your own DevShell password. See: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxoFCAS

Ignc (igncbc@gmail.com)
2019-04-03 16:02:43

@Ignc has joined the channel

Philip Harrison (CWSI) (pharrison@cwsi.ie)
2019-04-08 09:18:52

Anybody know of a urlscheme for Docs@Work by the way? Want to be able to open files on COFS shares, so a URL scheme like file.docx would be great

Philip Harrison (CWSI) (pharrison@cwsi.ie)
2019-04-08 09:19:21

*Thread Reply:* “CIFS” sorry :-)

Almar Diehl (almar.diehl@blaud.com)
2019-04-08 09:49:36

*Thread Reply:* I do not know the url scheme but maybe MobileIron FilePass can help (announced for next week, currently iOS only).

mahiroux (mhyb.mk@gmail.com)
2019-04-08 13:22:05

*Thread Reply:* @Almar Diehl It is a good news indeed.I have registered for Beta testing.Out of curiosity,can i open an AIP Protected document from docs@work?

Andrew Olpin (andy@olpin.us)
2019-04-08 14:34:12

*Thread Reply:*

Philip Harrison (CWSI) (pharrison@cwsi.ie)
2019-04-09 09:27:45

*Thread Reply:* Thanks Andrew, you tested that and it works? Nothing in the MI docs about it, but I feel like it did exist :-)

Andrew Olpin (andy@olpin.us)
2019-04-09 12:19:52

*Thread Reply:* I know that's the syntax, but I can't test it at present.

Andrew Olpin (andy@olpin.us)
2019-04-09 12:20:22

*Thread Reply:* I was a MobileIron sales engineer for five years, so I've got experience. 😄

MichaelM21 (mike.miller815@yahoo.com)
2019-04-08 12:33:28

If the user permission „register device“ is not checked, the user should not be able to enroll a device without the admin having created the device in the first place, right?

Mark Vonk (mark.vonk@dahvo.com)
2019-04-08 12:40:35

Yes and no: only if you require a PIN for registration. If you do not require that, any user with the User Portal permission can register a device

🙏 MichaelM21
Ignc (igncbc@gmail.com)
2019-04-09 11:33:05

Hi everybody🙋‍♂️, first post here, I hope I can help and collaborate onwards. I need a little help here with the D@W on IOS. I have it working right on AE without any issue. I made it work in the past in other instances of Mi Core+sentry on IOS but last week I installed a new instance on 10.2 and something is not working, or I forget to setup something properly. I add below a few screenshots of my test environment. I installed Documents by ripple(smb client) in an iPad and assign the per APP Tunnel, and it can connect to the CIFs share, so it must be something on the IOS D@W. I tried with CIFSANY and TCPANY non of it makes any different. Comments are welcome. Thanks

NicolasR (raison_nicolas@me.com)
2019-04-09 12:00:08

*Thread Reply:* CIFS is port 445 ;-)

NicolasR (raison_nicolas@me.com)
2019-04-09 12:00:14

*Thread Reply:* Not 443

NicolasR (raison_nicolas@me.com)
2019-04-09 12:00:34

*Thread Reply:* Your apptunnel rule is wrong

Ignc (igncbc@gmail.com)
2019-04-09 12:12:51

*Thread Reply:* Hi Nicolas, I know about CIFS 445, I think I change it during one of my desperate tests. I'll try with 445 again and report back, Thanks

Ignc (igncbc@gmail.com)
2019-04-09 12:14:16

*Thread Reply:* Nicolas, one question, I need to use CIFSANY or TCPANY?

Andrew Olpin (andy@olpin.us)
2019-04-09 12:15:24

*Thread Reply:* CIFS_ANY

👍 NicolasR, Ignc
Ignc (igncbc@gmail.com)
2019-04-09 12:17:57

*Thread Reply:* I read in the documentation about IOS that it only works if you use TCP_ANY for the tunnel APP and app connect so because of that my confusion

NicolasR (raison_nicolas@me.com)
2019-04-09 12:19:22

*Thread Reply:* Tunnel app is TCPANY but Docs@work use embedded AppTunneling (not requiring Tunnel app), for CIFS servers it’s CIFSANY and for WebDAV/sharepoint and others it’s ANY

👍 Ignc
Ignc (igncbc@gmail.com)
2019-04-09 12:20:32

*Thread Reply:* Ok, I'll try to redo my setup base on that.

Andrew Olpin (andy@olpin.us)
2019-04-09 12:22:10

*Thread Reply:* And the CIFS connection is finicky. All of the other connections are simply proxying traffic. The CIFS connection is also translating CIFS traffic into Webdav so the mobile device can consume it. It's why CIFS_ANY exists, and why it's mandatory.

👍 Ignc, NicolasR, MichaelM21
Ignc (igncbc@gmail.com)
2019-04-09 12:30:01

*Thread Reply:* Just to check, as you said it does not require Tunnel App, I don't need to add the tunnel app profile on the per app VPN inside the d@W setup, right?

NicolasR (raison_nicolas@me.com)
2019-04-09 12:37:10

*Thread Reply:* For Docs@Work no

Ignc (igncbc@gmail.com)
2019-04-13 17:05:17

*Thread Reply:* Thanks, it works now, it was the port error. My bad.

NicolasR (raison_nicolas@me.com)
2019-04-13 18:12:45

*Thread Reply:* 👍🍾

Jason Bayton (jason@bayton.org)
2019-04-10 11:43:33

Hi folks, I hear there’s an IP change for MI Cloud on the horizon (if not already). Does anyone have any info on this as I’ve not seen anything outside of NA2

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-10 11:48:30

@Jason Bayton i received an email about EU servers

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-10 11:48:54

"If you use IP-based firewall rules for MobileIron Cloud https://eu1.mobileiron.com/ in your network, you must take action before May 6th, 2019 to avoid service interruptions."

Jason Bayton (jason@bayton.org)
2019-04-10 11:49:15

Might you have the link to the details on it please?

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-10 11:49:42

PM me your email and i'll forward the email.

Jason Bayton (jason@bayton.org)
2019-04-10 11:49:57

jason@bayton.org - it’s not a secret 🙂

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-10 11:50:14

mail send 🙂

Jason Bayton (jason@bayton.org)
2019-04-10 11:53:16

Wonderful, thank you sir!

Kiran Patel (kiran@kiranpatel.net)
2019-04-12 02:19:01

anyone here configure MobileIron Access as a Service for Azure SRS?

NicolasR (raison_nicolas@me.com)
2019-04-13 15:46:54

*Thread Reply:* I have a customer who do, what’s the question?

Kiran Patel (kiran@kiranpatel.net)
2019-04-18 16:23:58

*Thread Reply:* did you have to enable activemq manually on MI Core for this to work? Initially we though it was firewall rules but MI just came back that we need to manually enable something on Core 10.2 as well

Jacques Aing (jacques.aing@digitaldimension.fr)
2019-04-12 09:51:24

@Jacques Aing has joined the channel

Mike L (mlee@partners.org)
2019-04-12 14:37:41

@Mike L has joined the channel

System Admin (sagar080890@gmail.com)
2019-04-14 07:05:01

Guys we are using Intune MAM now, but we want to implement MobileIron MDM solution for our organization requirements

System Admin (sagar080890@gmail.com)
2019-04-14 07:05:23

We want to represent use case MobileIron vs Intune MDM

System Admin (sagar080890@gmail.com)
2019-04-14 07:05:28

Can anyone help me please

NicolasR (raison_nicolas@me.com)
2019-04-14 23:07:41

*Thread Reply:* Complex as we don’t know your use case but anyway I’ll try:

  • iOS: support for many advanced functions like VPP device based, DEP with latest profiles
  • Android: support for all Android Enterprise use cases like COPE/COBO and many third party integration like KNOX v3 and Zebra support
  • General (all OSes): advanced certificate management, security certifications like NIAP / FedRAMP / Common Criteria MDM-PP
NicolasR (raison_nicolas@me.com)
2019-04-14 23:08:31

*Thread Reply:* Also, agnostic Conditional access and built in Mobile Threat Defense technology

System Admin (sagar080890@gmail.com)
2019-04-14 23:32:40

*Thread Reply:* Hi buddy

System Admin (sagar080890@gmail.com)
2019-04-14 23:32:45

*Thread Reply:* Thanks a lot for your reply

System Admin (sagar080890@gmail.com)
2019-04-14 23:33:07

*Thread Reply:* But conditional access is also in intune

System Admin (sagar080890@gmail.com)
2019-04-14 23:35:07

*Thread Reply:* Regard use case

System Admin (sagar080890@gmail.com)
2019-04-14 23:36:08

*Thread Reply:* We want to connect Android and iOS device to corporate network but the issue is those devices should be domain joined which I feel is complex In mobile device

System Admin (sagar080890@gmail.com)
2019-04-14 23:37:00

*Thread Reply:* Another use case is we want to Integrate in-house apps and I know Intune MDM is slight tricky to accomplish this as it requires app wrapping and SDK

System Admin (sagar080890@gmail.com)
2019-04-14 23:37:50

*Thread Reply:* Another use case is we want to implement this solution for plant users where issue is about network connectivity and we want to lock down device with in secur environment

System Admin (sagar080890@gmail.com)
2019-04-14 23:39:16

*Thread Reply:* Another use case is our majority solution will be for Android , which means we have to make sure MDM should be compatible in all types of Android devices and I know Intune is not good in that

System Admin (sagar080890@gmail.com)
2019-04-14 23:39:48

*Thread Reply:* Please help me with some valid points reason why MobileIron or any other MDM but not Intune

System Admin (sagar080890@gmail.com)
2019-04-14 23:40:26

*Thread Reply:* But definitely our main focus is MobileIron

System Admin (sagar080890@gmail.com)
2019-04-14 23:40:32

*Thread Reply:* I know MobileIron is really awesome

Ignc (igncbc@gmail.com)
2019-04-15 10:13:55

*Thread Reply:* I can only speak in terms of what I tested, before. During the design of our enterprise solution, I evaluate, UEM BES, Airwatch, Intune and Mobileliron core/cloud. It was a year ago, and there are a bast difference in terms of what features are supported at the time, how much intensive in terms of resources they are, and how the technical support works in each solution.

Ignc (igncbc@gmail.com)
2019-04-15 10:15:03

*Thread Reply:* In my case, my target mode to use was AE behind COPE. In this case Mobilieron core was the first solution to release such feature, and it end up being the winner in my evaluation, nut not only because of that.

NicolasR (raison_nicolas@me.com)
2019-04-15 10:17:32

*Thread Reply:* @System Admin about conditional access with Azure: Microsoft can only perform conditional access through apps that contain the MSFT SDK. No third party apps without SDK can use it (no way to put conditional access on Salesforce, Concur, Service Now, others...) If you have a cloud service it will require app changes to include the SDK which is complex and not ideal situation. Also, native apps like native iOS, Gmail, Chrome & Safari can’t be included in conditional access from MSFT. Only Microsoft apps (Edge, Outlook, Word, Onedrive...)

Ignc (igncbc@gmail.com)
2019-04-15 10:17:34

*Thread Reply:* In terms of supported features, UEM BES and Airwatch supports at the time more AE API calls than mobileiron, but the ones that are not supported by mobileiron are not “critical” in many ways. For example one that is not supported by mobileiron is the one that permits you to set the lockscreen message.

Ignc (igncbc@gmail.com)
2019-04-15 10:21:09

*Thread Reply:* About resources, Airwatch and UEM BES are quite intensive, as they are solutions based on top of windows server, mobileiron is base on linux(centos) and that for me is a point in favour. If you look at the numbers mobileiron core scale up in a very linear way, but BES and Airwatch are madness in terms of the hardware necessities.

NicolasR (raison_nicolas@me.com)
2019-04-15 10:21:43

*Thread Reply:* I have a customer with 120K devices on 1 core 😄

👏 Ignc
👍 FullMobile
NicolasR (raison_nicolas@me.com)
2019-04-15 10:21:57

*Thread Reply:* and they are still going up and up

Ignc (igncbc@gmail.com)
2019-04-15 10:22:11

*Thread Reply:* That’s what i said

Ignc (igncbc@gmail.com)
2019-04-15 10:22:14

*Thread Reply:* 😉

NicolasR (raison_nicolas@me.com)
2019-04-15 10:22:34

*Thread Reply:* 👍

Ignc (igncbc@gmail.com)
2019-04-15 10:24:51

*Thread Reply:* About Intunes, I discard the solution, at first, because we came from an cloudbase(tenant) Airwatch solution provided by the telco where we CAN’T control which version we are using, and they control when and how the Airwatch is updated. That was totally insane, and I´m sure others have work here with the nefarious VSDM by vodafone.

Ignc (igncbc@gmail.com)
2019-04-15 10:25:47

*Thread Reply:* with Intune you are in the same boat, they update the solution online when they consider is tested and is ready for production environment, even if you are not ready to accept the risk

Ignc (igncbc@gmail.com)
2019-04-15 10:26:29

*Thread Reply:* And this is the same for all the cloud base solutions where you don’t control how they are updated.

Ignc (igncbc@gmail.com)
2019-04-15 10:29:09

*Thread Reply:* I suffer that before and I like to sleep well knowing my UEM is not going to be updated without being able to test the new version in advance, as you can do with the Mobileiron Core anytime.

Ignc (igncbc@gmail.com)
2019-04-15 10:32:26

*Thread Reply:* So in short, Intune does not support all AE APIs, is only cloud based, and even if Microsoft said is “free”(included with your o365 subscription), we’ll see in the future how it evolve, my point of view is that at a point they will fusion SCCM and intune.

System Admin (sagar080890@gmail.com)
2019-04-17 02:33:48

*Thread Reply:* Thanks guys , can you please help me with the detailed reason why Intune is not better for in-house apps integration

Damian (support@expertmobilite.com)
2019-04-14 14:04:45

@Damian has left the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-04-16 14:47:19

Guys I need you input with MobileIron Access as a service (Delegated IdP) and how to quickly verify that access is working for managed devices and not working for unmanaged devices. -Core and Access connected -SCEP and VPN config created -Delegated idP in Access Portal enabled and configured.. The next step is to execute the Powershell script on the ADFS. But before that I would like to have a device prepared so I can test it. What would you recommend? Email+ with Modern Auth enabled? OneDrive for Business? Thanks for your input

Andrew Olpin (andy@olpin.us)
2019-04-16 14:48:49

*Thread Reply:* To test an unmanaged device it doesn't matter. If you've never done this before, make sure you're not doing it in production, as this will change your authentication flow for all of O365.

Andrew Olpin (andy@olpin.us)
2019-04-16 14:49:34

*Thread Reply:* I usually used onedrive or one of the office apps. Make sure the app in question is managed with the per-app VPN assigned to it, or it won't work.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-16 15:00:15

*Thread Reply:* So I have to enable the VPN config used for Access within the App settings of the App? I only have a production environment. So I am looking for a way with the least impact for existing mobile devices. Since we use Del IdP Desktop devices are not impacted. I think I need to allow unmanaged devices within the Conditional access policy as well otherwise these devices will be impacted since they are not using Tunnel yet - of course within a maintenance window I can block the unmanaged devices

Andrew Olpin (andy@olpin.us)
2019-04-16 15:16:19

*Thread Reply:* Yes. the way an app is considered "allowed" is if the app is coming in via VPN.

Andrew Olpin (andy@olpin.us)
2019-04-16 15:17:27

*Thread Reply:* If you're setting up access as a separate IDP that's talking to ADFS, that's fine.

Andrew Olpin (andy@olpin.us)
2019-04-16 15:18:04

*Thread Reply:* If you change O365, however, I think O 365 only allows a single IDP for the domain. That kind of change impacts all authentication for office. Desktop, mobile, browser, etc.

Andrew Olpin (andy@olpin.us)
2019-04-16 15:18:23

*Thread Reply:* If it works fine, no issues. Access will pass all the desktop and browser traffic through.

Andrew Olpin (andy@olpin.us)
2019-04-16 15:18:44

*Thread Reply:* If you have trouble setting it up, though, no one will be able to access O365 until its fixed.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-16 17:23:32

*Thread Reply:* With the Delegated IdP setup I don’t have to modify the Office 365 IdP since there is no trust between Access and Office 365 relevant. Create a federate pair in the Access portal for Del IdP only need the metadata from ADFS. And after that execute the Powershell script from Access on the ADFS. Well with adding the VPN configuration within the app I see a problem - what happens to all the devices which already use that app but not will not have the VPN config because they are not using Tunnel yet. Are they able to use the app without impact?

MichaelM21 (mike.miller815@yahoo.com)
2019-04-16 18:19:26

*Thread Reply:* And also: If I want to use Email+ for iOS which now supports Modern Auth, do I also have to apply the VPN config to Email+?

Andrew Olpin (andy@olpin.us)
2019-04-16 18:20:00

*Thread Reply:* as long as the policy isn't yet set to block unauthorized apps, they will continue to use it.

Andrew Olpin (andy@olpin.us)
2019-04-16 18:20:23

*Thread Reply:* You will also see in the access logs how many users are coming in via unauthorized means, so you can be sure that number is acceptable before you block.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-16 18:48:04

*Thread Reply:* Ok got it, thanks. But coming back to the VPN confi which needs to be enabled in the app settings within the AppCatalog. If I enable the VPN config for lets say OneDrive for Business, since this is a global setting it will be applied for all devices. And since we have plenty of devices which will not have a Tunnel configuration hence no Tunnel VPN config applied to them, will the app still be usable for non-Tunnel users?

Andrew Olpin (andy@olpin.us)
2019-04-16 20:17:58

*Thread Reply:* If they don't have tunnel, the VPN won't work, but that won't break the normal function of the app. Once you set access to block unmanaged apps and devices, however, those devices will break, as those apps will not be "managed" as access sees it.

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-04-16 20:25:55

*Thread Reply:* Clear, thanks! 👍:skintone2:

MichaelM21 (mike.miller815@yahoo.com)
2019-04-17 09:29:43

*Thread Reply:* Regarding Email+: do I have to choose the Identity Cert for Access within the Email+ config and also apply the VPN config within the app? The documentation about this is very limited! 🤕

Andrew Olpin (andy@olpin.us)
2019-04-17 16:39:06

*Thread Reply:* No. The identity cert in the email+ config is if you're using certificate authentication for email access. That's separate from the certificate authentication needed by Tunnel.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-17 16:41:43

*Thread Reply:* But I have to enable the VPN config in the app catalog for Email+? I am not talking about the KVP for login cert, but the Identity Cert from the dropdown menu

Andrew Olpin (andy@olpin.us)
2019-04-17 17:39:53

*Thread Reply:* Yes.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-17 13:44:29

Is there a way to re-deploy the Apps@Work shortcut for Android if a user deleted the shortcut?

Almar Diehl (almar.diehl@blaud.com)
2019-04-17 14:06:41

*Thread Reply:* I can not test it at the moment but if I remember this ok there is an option in the Mobile@Work client to re-deploy the shortcut.

Almar Diehl (almar.diehl@blaud.com)
2019-04-17 14:25:36

*Thread Reply:* Yep, just checked. When you go to Settings in the M@W app there is an option to “Add Apps@Work Shortcut to Home Screen”

🙏 MichaelM21
Boris W. (bwl@ibelem.com)
2019-04-17 15:01:43

@Boris W. has joined the channel

👍 NicolasR, Boris W.
MichaelM21 (mike.miller815@yahoo.com)
2019-04-23 09:51:56

My new LDAP groups will not show the members on Core (no Data) hence no Filter labels apply! I have added all relevant groups within the LDAP configuration. If I browse the LDAP through the LDAP settings on Core, I can see all the members in Active Directory, but not within the Users tab (LDAP entities). Any ideas?

NicolasR (raison_nicolas@me.com)
2019-04-23 09:53:31

*Thread Reply:* Sync discard may have been triggered

NicolasR (raison_nicolas@me.com)
2019-04-23 09:53:48

*Thread Reply:* note that there is a change in the way CORE calculates the sync discard since 10.1

NicolasR (raison_nicolas@me.com)
2019-04-23 09:55:23

*Thread Reply:* Before: the percentage was applied to all the users synced in CORE Now: the percentage is applied to each group independently and stops the sync of all LDAP

-> We recommend switching to a number of user instead of percentage

MichaelM21 (mike.miller815@yahoo.com)
2019-04-23 09:55:53

*Thread Reply:* Ah good point. This should be in the logs. Can I disable the Sync Discard without any impact?

NicolasR (raison_nicolas@me.com)
2019-04-23 09:56:09

*Thread Reply:* Better switch to number of users

NicolasR (raison_nicolas@me.com)
2019-04-23 09:56:32

*Thread Reply:* depending on your fleet size but a number between 100 & 300 should be enough

MichaelM21 (mike.miller815@yahoo.com)
2019-04-23 09:57:45

*Thread Reply:* Ok but I can temporarily disable it to check if the sync works again, right?

NicolasR (raison_nicolas@me.com)
2019-04-23 09:58:54

*Thread Reply:* You can, even if switch to number of users will have the same effect, without the risk of having a real user impact in case of sync issues

MichaelM21 (mike.miller815@yahoo.com)
2019-04-23 10:01:30

*Thread Reply:* Bingo, right on the money! Thanks! 👍:skintone2:🍺

👍 NicolasR
NicolasR (raison_nicolas@me.com)
2019-04-23 10:02:50

*Thread Reply:* If you can open a case to make Sync Discard feature great again it will help 😆

NicolasR (raison_nicolas@me.com)
2019-04-23 10:13:08

*Thread Reply:* VSP-47816 is the feature that changed the behaviour

Phil Hackett (phil.hackett83@gmail.com)
2019-04-23 12:22:06

*Thread Reply:* This change caused us a bit of grief. We’ve got a ticket open with engineering..

NicolasR (raison_nicolas@me.com)
2019-04-23 12:23:01

*Thread Reply:* not only to you 😉

👍 Phil Hackett, MichaelM21
Nils Gerloff (nils.gerloff@your-side.de)
2019-04-24 06:32:57

Hello, we have an issue between iOS and the Outlook App. The iOS devices will be shown as Anndroid devices

Nils Gerloff (nils.gerloff@your-side.de)
2019-04-24 06:34:44

in the ActiveSync Associations.

Nils Gerloff (nils.gerloff@your-side.de)
2019-04-24 06:35:20

The solution is, that the device will be blocked automaticaly...

Jason Bayton (jason@bayton.org)
2019-04-24 09:40:11

Maybe don’t block Android devices? How very dare you 😅 This isn’t a MobileIron issue though, probably one for #microsoft so I’ll share it in there.

Mark Vonk (mark.vonk@dahvo.com)
2019-04-24 11:16:32

Outlook will always be blocked as the ActiveSync ID from Outlook will not be recognized by the Sentry as a registered device.

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-04-24 15:56:41

Hello, anyone came across using USER_CUSTOM attribute as the URL within Docs@Work for Android Enterprise? I am using the same attribute Within iOS and Android DA for Docs@Work and this is working fine.

Boris W. (bwl@ibelem.com)
2019-04-24 16:10:06

Hello, I have an issue with Email+ for iOS during activation. The SSL handshake fails... Do you have the same problem here?

NicolasR (raison_nicolas@me.com)
2019-04-24 17:17:18

*Thread Reply:* I had that almost 2 years ago: it was and issue in checking CRL & validating the cert chain

NicolasR (raison_nicolas@me.com)
2019-04-24 17:17:33

*Thread Reply:* workaround was to allow untrusted certs or not checking CRL

NicolasR (raison_nicolas@me.com)
2019-04-24 17:17:49

*Thread Reply:* it should have been fixed since then anyway...

Andrew Olpin (andy@olpin.us)
2019-04-24 17:19:37

*Thread Reply:* If it's email+ that's failing, check the domain name it's pointing to using a certificate checker (Qualys has on that's on line)

Andrew Olpin (andy@olpin.us)
2019-04-24 17:19:48

*Thread Reply:* It will report back any certificate issues, and that may help troubleshoot.

Boris W. (bwl@ibelem.com)
2019-04-25 11:46:46

*Thread Reply:* Thanks for your answers. The SSL certificate seems to be good and trusted (SSL Labs rating "A"). I don't understand why the Email+ activation fails... 😞

Boris W. (bwl@ibelem.com)
2019-04-25 11:55:14

*Thread Reply:*

NicolasR (raison_nicolas@me.com)
2019-04-25 12:30:01

*Thread Reply:* this is something else 😉 https://activate-emailplus.mobileiron.com/index.php is another resource required for Email+ activation. I also had this one in the past and successfully fixed by playing with key value pairs... but not remembering which ones...

Boris W. (bwl@ibelem.com)
2019-04-25 15:21:43

*Thread Reply:* Yes, I read the configuration guide 😉 I tried the key "emailtrustall_certificates", it does not work. I will check the other key-values

Andrew Olpin (andy@olpin.us)
2019-04-25 17:57:12

*Thread Reply:* Is the device able to reach the URL in the message? That URL (activate-emailplus.mobileiron.com) is required to set up email+. It hasn't even tried connecting to your server yet.

Is the device on LTE or wireless? If you haven't, try LTE. If you have custom VPN enabled, make sure the device has a route out to that URL

NicolasR (raison_nicolas@me.com)
2019-04-25 18:28:26

*Thread Reply:* @Boris W. did you used AppTunnel rules with Email+?

NicolasR (raison_nicolas@me.com)
2019-04-25 18:28:40

*Thread Reply:* or maybe per-app vpn with Tunnel?

NicolasR (raison_nicolas@me.com)
2019-04-25 18:29:07

*Thread Reply:* @Andrew Olpin the screenshot shows 4G 😉

Martin Hodgson (martinh@bridgeway.co.uk)
2019-04-25 23:37:43

*Thread Reply:* If your Email+ config points to Sentry, test if Sentry can reach the url.

sentry@sentry.acme.com# telnet activate-emailplus.mobileiron.com 443 Trying 107.20.172.67... Connected to activate-emailplus.mobileiron.com. Escape character is 'off'.

Boris W. (bwl@ibelem.com)
2019-04-26 09:38:27

*Thread Reply:* The device was connected in LTE. With Safari, the URL is not accessible because of unsecured connection... (same issue on my PC). Nicolas, yes, I configured an AppTunnel Rule with my Sentry in the AppConfig. Thanks Martin for your suggestion, I will test that asap. 😉

NicolasR (raison_nicolas@me.com)
2019-04-26 11:06:17

*Thread Reply:* did you configured the AppTunnel rule on the Email+ AppConfig because of EWS traffic?

NicolasR (raison_nicolas@me.com)
2019-04-26 11:06:26

*Thread Reply:* because otherwise you shouldn’t

NicolasR (raison_nicolas@me.com)
2019-04-26 11:06:40

*Thread Reply:* Email+ connects to Sentry as ActiveSync client

MichaelM21 (mike.miller815@yahoo.com)
2019-04-24 19:25:17

MobileIron Access as a Service Delegated idP - the ADFS login page on a desktop browser will show a Active Directory button and an MobileIron Access button because of the trust added to ADFS with the Powershell script from the Access admin portal, so I guess this is normal right? But If a desktop user clicks on Access this will result in a failure because desktop traffic will not work with Delegated iDP. Can this option be hidden in the ADFS page?

NicolasR (raison_nicolas@me.com)
2019-04-24 20:21:10

*Thread Reply:* Look at the new “unmanaged device management” added in Access R30. This handles exactly this use case by allowing non managed traffic through del-IDP.

MichaelM21 (mike.miller815@yahoo.com)
2019-04-24 20:43:56

*Thread Reply:* Ok thanks I will.. Is this an option which needs to be enabled? Basically I don‘t want to send desktop traffic to Access. I thought this is the whole point of del iDP, but If a user can still choose Access this will cause a lot of headaches! Not sure if this is designed like that or I missed a configuration step

NicolasR (raison_nicolas@me.com)
2019-04-24 20:45:23

*Thread Reply:* Nope, you surely missed something. In the ADFS web theme you can select the user agent you send to access. Keep in mind that ADFS will not take the new .js script until you reload it through a specific command in PowerShell

MichaelM21 (mike.miller815@yahoo.com)
2019-04-25 03:45:52

*Thread Reply:* So you are saying I missed something within the execution of the PS script on the ADFS? I followed exactly what is in the guide! The only thing: I did not customize the mobile theme which the powershell prompted me.

NicolasR (raison_nicolas@me.com)
2019-04-25 08:21:53

*Thread Reply:* I’m talking about the few lines at the bottom of the .js script that you need to add. It’s part of the web page

MichaelM21 (mike.miller815@yahoo.com)
2019-04-25 18:22:45

*Thread Reply:* Not sure what you mean with adding a few lines. Can you point me to it in the guide?

NicolasR (raison_nicolas@me.com)
2019-04-25 18:23:32

*Thread Reply:* onload.js file

NicolasR (raison_nicolas@me.com)
2019-04-25 18:23:38

*Thread Reply:* at the end of the article

MichaelM21 (mike.miller815@yahoo.com)
2019-04-25 18:30:08

*Thread Reply:* Wow thanks. Is this also relevant for Access as a service because these steps are not in the guide for Access as a service with del IdP I believe . this is the guide with Standalone Sentry..

NicolasR (raison_nicolas@me.com)
2019-04-25 18:31:15

*Thread Reply:* oh right! true... I’ll reach out the author 😄

MichaelM21 (mike.miller815@yahoo.com)
2019-04-25 18:32:10

*Thread Reply:* OMG... 😳 thanks

NicolasR (raison_nicolas@me.com)
2019-04-25 18:32:29

*Thread Reply:* 🍻

NicolasR (raison_nicolas@me.com)
2019-04-25 18:37:41

*Thread Reply:* He will review the article

mahiroux (mhyb.mk@gmail.com)
2019-04-25 10:06:02

Has anyone managed to deploy MI file-pass successfully.I doesn’t work me.When i am opening a word file from Docs@work, it flips to file-pass however it doesn’t show any option to open with a word app.

pihlapuro (juho-pekka.pihlapuro@teliadatainfo.fi)
2019-04-26 08:21:04

@pihlapuro has joined the channel

aaron (aaron@groundctl.com)
2019-04-26 12:00:25

When did the new logo show up?

Jason (jasonh@bridgeway.co.uk)
2019-04-26 12:01:09

Oh, yuk!

Jason Bayton (jason@bayton.org)
2019-04-26 12:25:54

That was just me messing around in MS paint. Honest.

😆 Woody
aaron (aaron@groundctl.com)
2019-04-26 12:29:33

Somehow you got access to LinkedIn https://www.linkedin.com/company/mobileiron

Jason Bayton (jason@bayton.org)
2019-04-26 13:50:53

*Thread Reply:* I'm everywhere

Ignc (igncbc@gmail.com)
2019-04-26 13:28:17

I tried, better, but still ugly

Ignc (igncbc@gmail.com)
2019-04-26 13:28:33

😂

aaron (aaron@groundctl.com)
2019-04-26 13:47:08

I’m showing my age, but reminded me of this

👍 Woody
NicolasR (raison_nicolas@me.com)
2019-04-26 14:12:21

Announced internally on Tuesday

NicolasR (raison_nicolas@me.com)
2019-04-26 14:12:29

official launch on May 7th

Jason Bayton (jason@bayton.org)
2019-04-26 14:13:08

Nicolas it's bad. Cancel it.

Regards, Everyone

😂 Matt Dermody, Jason
NicolasR (raison_nicolas@me.com)
2019-04-26 14:13:18

😂

NicolasR (raison_nicolas@me.com)
2019-04-26 14:13:23

c’mon I like it 🙂

NicolasR (raison_nicolas@me.com)
2019-04-26 14:13:33

nope?

Jason Bayton (jason@bayton.org)
2019-04-26 14:13:36

Nope

NicolasR (raison_nicolas@me.com)
2019-04-26 14:13:37

hum?

NicolasR (raison_nicolas@me.com)
2019-04-26 14:13:44

----> [ ]

onires53 (jason.r.serino@gmail.com)
2019-04-26 14:13:53

Agreed. Saw it last night on LinkedIn and didn’t care for it but agree that it is time for a refresh.

👍 NicolasR, onires53, Woody
NicolasR (raison_nicolas@me.com)
2019-04-26 14:14:30

The old logo was nice but seriously, when all the market got refreshed we needed that 😉

NicolasR (raison_nicolas@me.com)
2019-04-26 14:15:26

and it’s still fine... here:

Jason Bayton (jason@bayton.org)
2019-04-26 14:16:52

Change the old red to blue. Refreshed. Job done.

Ignc (igncbc@gmail.com)
2019-04-26 14:16:55
NicolasR (raison_nicolas@me.com)
2019-04-26 14:18:15
NicolasR (raison_nicolas@me.com)
2019-04-26 14:18:26

🤮

Jason Bayton (jason@bayton.org)
2019-04-26 14:18:47

Perfect. Just without the embossed badge look

Ignc (igncbc@gmail.com)
2019-04-26 14:19:03

🤔where i have seen this before….😂

Jason Bayton (jason@bayton.org)
2019-04-26 14:20:02

Exactly. No need to change something that works.. especially if it's result is dramatically worse.

Jason Bayton (jason@bayton.org)
2019-04-26 14:20:50

It's just shouting "I can't write 17” at me

NicolasR (raison_nicolas@me.com)
2019-04-26 14:21:11

That’s because you’re not used to it 😄 It’s just I feel it’s maybe too close to this;

Jason Bayton (jason@bayton.org)
2019-04-26 14:21:36

Totally different. McAfee can write an M properly.

😂 NicolasR, JF Rigot, Woody
Ignc (igncbc@gmail.com)
2019-04-26 14:21:49

an all of a sudden you make it looks worst 😂

Jason Bayton (jason@bayton.org)
2019-04-26 14:52:22
😂 Marc van der Kooy, Woody
Jason (jasonh@bridgeway.co.uk)
2019-04-26 15:05:08

Am I the only one that can’t un-see this?

Jason (jasonh@bridgeway.co.uk)
2019-04-26 15:05:47

Also, is the reversed Batman intentional?

👍 Woody
Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-26 15:09:22

Or it's a 1 and it was struck bij Zorro 😎

😂 Jason, Almar Diehl
aaron (aaron@groundctl.com)
2019-04-26 15:15:06

The old one looks like a falling stock price.

😄 Andrew Olpin, NicolasR, Woody
Jason Bayton (jason@bayton.org)
2019-04-26 15:23:09

So it was apt as well as looking better.

Jason Bayton (jason@bayton.org)
2019-04-26 15:23:24

😋

Andrew Olpin (andy@olpin.us)
2019-04-26 16:00:58

Do we think Ojas is going to replace / update his tatoo?

😂 MichaelM21
Jack Madden (jackalexandermadden@gmail.com)
2019-04-29 02:22:30

*Thread Reply:* You two beat me to the joke!

MichaelM21 (mike.miller815@yahoo.com)
2019-04-26 18:20:48

Whats the deal with Core here? Happens after reboot and stuck for a while!

jaimin.s (jaimins@gmail.com)
2019-04-26 18:31:42

Probably from a cronjob during bootup. It's systemd logging a root logout. You can suppress it but I'd leave it be as it's harmless and you don't want to make config changes.

👍 MichaelM21
NicolasR (raison_nicolas@me.com)
2019-04-26 19:00:45

@here 👆:skintone2:

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-04-29 10:01:11

Does anyone have an app/tool which you can control(view) Android phone's on a Mac? I need to make a screenshot of something that blocks it (MobileIron Go), need this for a manual.

Ladislav Blazek (ladislav@lblazek.cz)
2019-04-29 14:11:06

*Thread Reply:* http://vysor.io for USB connected device… or Reflector for wireless connectivity

Dominik Schmid (dominik.schmid@cancom.de)
2019-04-30 07:50:36

@Dominik Schmid has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-04-30 12:33:42

Can video calling apps like Skype for Business or Jabber be used with MobileIron Tunnel? Wasn’t there a UDP limitation?

Fabian (mobilxperts@neokortex.de)
2019-04-30 12:48:44

Yes and no 🙂

Fabian (mobilxperts@neokortex.de)
2019-04-30 12:49:36

MI Tunnel does not tunnel UDP traffic. However, it supports Split UDP. Meaning all UDP traffic goes directly from the device to the intended destination.

Fabian (mobilxperts@neokortex.de)
2019-04-30 12:50:35

Former version of MI Tunnel used an iOS library which changed the UDP source ports, mainly preventing UC protocols from working successfully. This library has been replaced by another one, which does not modify source ports. This version is currently in Alpha stadium and I know two customers testing that.

Fabian (mobilxperts@neokortex.de)
2019-04-30 12:50:48

Responsible PM at MI: Archana Karehalli Raju <araju@mobileiron.com>

Fabian (mobilxperts@neokortex.de)
2019-04-30 12:51:32

Be aware, it really is an Alpha. Many manual configuration steps and unstable results. But the proof of concept in general works as expected 🙂

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-04-30 15:09:17

*Thread Reply:* But that would also mean the the backend destination needs to be externally published for UDP traffic, right? Example if a Cisco Call Manager is only available via Sentry.

MichaelM21 (mike.miller815@yahoo.com)
2019-05-06 13:03:46

*Thread Reply:* Where do I have to configure Split Tunneling for these Video apps which use UDP? In the VPN Tunnel configuration?

MichaelM21 (mike.miller815@yahoo.com)
2019-04-30 13:00:31

Thank you! I will take that into consideration!

JmB (jean-marc.bichaud@econocom.com)
2019-04-30 13:05:48

Hello guys, We are encountering a problem when deploying an application on Managed Play Store. We want to release a beta for our pilot population on open track (google console) through MobileIron (Core 10.2). Our users are only downloading the production version. We double checked the prerequisites, checked the application version (25 for prd & 26 for beta - incremential ok) and we are testing on clean devices without any other applications. Any idea ? Thanks you

Almar Diehl (almar.diehl@blaud.com)
2019-04-30 13:48:36

*Thread Reply:* Did you create a beta label and assign it to the app?

JmB (jean-marc.bichaud@econocom.com)
2019-04-30 14:07:48

*Thread Reply:* Yes, we have create a manual label pointing on the beta release

Jonas Hofer (jonas.hofer@nomasis.ch)
2019-04-30 22:48:37

*Thread Reply:* I'd suggest to check the "Pricing & distribution" settings for the app, and also make sure the beta is set to "Open Beta Testing". Also be aware that changes on the Google play console sometimes take a couple of hours.

Peter Mohr (pm@conscia.com)
2019-05-01 06:33:52

*Thread Reply:* I've seen the same for AirWatch recently. Perhaps Google changed something ?

Ameri (christopher.ameri94@gmail.com)
2019-04-30 13:14:18

@Ameri has joined the channel

System Admin (sagar080890@gmail.com)
2019-05-01 14:10:06

Guys do we have any case study/business casesfor plant or warehouse users where we can lock down the device, can access in-house apps

System Admin (sagar080890@gmail.com)
2019-05-01 14:10:32

I am looking for MobileIron,SOTI and AirWatch

Matt Dermody (jmdermody@gmail.com)
2019-05-01 16:15:29

SOTI is best in class for the COSU Android use case, specifically with Zebra Android devices which have 65%+ of the new rugged android market.

Peter Mohr (pm@conscia.com)
2019-05-01 21:10:12

*Thread Reply:* @Matt Dermody, any specific features that makes you consider SOTI the best?

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:54:08

*Thread Reply:* Probably should move this out of the mobileiron channel, but i’ll continue for now

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:54:41

*Thread Reply:* native remote control that isnt separately licensed that works for both DA and DO enrolled devices

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:55:05

*Thread Reply:* options to leverage the AE kiosk, custom SOTI launcher, OR Zebra Enterprise Home Screen

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:55:27

*Thread Reply:* multiple methods for accomplishing tasks eg. Packages & File Sync Rules

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:55:50

*Thread Reply:* support for the Zebra MX configuration layer and the SOTI scripting engine is a dream

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:56:05

*Thread Reply:* You can send intents to devices to remotely enable and disable logging utilities

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:56:24

*Thread Reply:* start, kill, relaunch applications, wipe application data, process firmware updates, etc.

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:58:00

*Thread Reply:* And with AEDO + Zebra you can enroll in SOTI with StageNow, bypassing any of the standard Google SUW based methods (NFC, DPC, QR). Zebra provides a bypass barcode that allows you to launch straight into StageNow and then you can scan a second barcode to download the AE agent, install it, set it as DO (yes DO, not PO), and enroll it in an environment. You can use this method to also enroll DO AOSP devices.

Matt Dermody (jmdermody@gmail.com)
2019-05-01 22:59:09

*Thread Reply:* Ultimately I think the scripting is the best piece, you can seriously accomplish anything that is not exposed as an available configuration in the UI if you have the scripting layer + mx

Peter Mohr (pm@conscia.com)
2019-05-02 07:23:25

*Thread Reply:* cool. thanks for the update on SOTI

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-05-06 07:59:49

*Thread Reply:* If you want to use Zebra Devices, Soti has the most functions right now. If you want to use other devices, I would go for MI.

Nick (nickdiaz@gmail.com)
2019-05-02 14:33:46

Does anyone have insight into whether a high number of AND / OR conditional criteria in a Label (70 or more) will adversely affect Core performance?

Mark Vonk (mark.vonk@dahvo.com)
2019-05-02 14:52:04

*Thread Reply:* I believe it depends on the operators in use. Primarily negative operators (for example !=) will affect Core performance. Never really noticed a performance issue, but I also have never seen labels with 70 criteria....

Mark Vonk (mark.vonk@dahvo.com)
2019-05-02 14:52:31

*Thread Reply:* You might want to reconsider and use another method to achieve the same.

Jason Bayton (jason@bayton.org)
2019-05-02 15:00:10

*Thread Reply:* Depends on number of devices also. It's a DB query and will be pretty taxiing

Nick (nickdiaz@gmail.com)
2019-05-02 15:32:08

*Thread Reply:* Thanks all. In this case, I need to apply a configuration based on an LDAP field indicating the country where the user resides most regularly (as opposed to using the reported location of the device). In this case the world would be broken up into 3 to 5 regions of countries. For example, Label1= if country=Argentina OR Chile OR Paraguay, etc. Label2 = if country=US or Canada. Label 3 = if country= Spain OR Portugal OR France OR Germany, etc. (and 50 more nearby countries). I hear you on the DB query - that's my concern. Assume 40k-70k users per Core.

Peter Mohr (pm@conscia.com)
2019-05-02 16:37:03

*Thread Reply:* You could create 70 labels each with own criteria

Nick (nickdiaz@gmail.com)
2019-05-02 16:39:51

*Thread Reply:* Interesting. So I'd be trading admin time, admin UI complexity, or potential for admin error for CPU load. Is there good data to support that processing 70 labels is less impactful than processing one label with 70 conditions?

Peter Mohr (pm@conscia.com)
2019-05-02 16:46:39

*Thread Reply:* Just from a SQL perspective I'd say that running a simpler query will help the optimizer and your indexes could help deliver fast responses. From an admin perspective I'd almost say that 70 labels would be easier to manager in the long run and perhaps even also initially

Peter Mohr (pm@conscia.com)
2019-05-02 16:47:30

*Thread Reply:* And if you ever need to target a specific country you already have that label 🙂

Fabian (mobilxperts@neokortex.de)
2019-05-08 17:07:23

*Thread Reply:* Elasticsearch will deal with the query and also build something like a query plan. Even if the Syntax in the UI is kind of heavy, the overall performance for Value IN (a, b, c) like query will be good. That's nothing complicated for ES.

Fabian (mobilxperts@neokortex.de)
2019-05-08 17:09:04

*Thread Reply:* You can easily monitor this on Core CLI or via Monitoring, by checking the elasticsearch CPU usage. A system of 80k will approx have a elasticsearch CPU usage of roughly 50%, depending on configuration.

Luc (luc.rames@digitaldimension.fr)
2019-05-03 14:10:27

Hi, Has anyone already implemented Google’s Alpha, Beta program on Core OnPremise?

Almar Diehl (almar.diehl@blaud.com)
2019-05-03 16:58:01

*Thread Reply:* Yes, I have, needed it for the beta version of Email+ 3.0

Luc (luc.rames@digitaldimension.fr)
2019-05-07 13:23:01

*Thread Reply:* have you some documentation for an implementation easly ?

Luc (luc.rames@digitaldimension.fr)
2019-05-07 13:23:37

*Thread Reply:* I have try with Mobileiron documentation but no working

Jason Bayton (jason@bayton.org)
2019-05-04 21:39:11

Folks does anyone have info on Cloud token enrolment for AE? Provisioner app updated to support it but I don’t see anything added in R60/61

NicolasR (raison_nicolas@me.com)
2019-05-04 23:43:51

*Thread Reply:* Can you elaborate what is the Cloud token enrollment?

NicolasR (raison_nicolas@me.com)
2019-05-04 23:43:59

*Thread Reply:* Is it AMAPI?

Jason Bayton (jason@bayton.org)
2019-05-04 23:56:42

*Thread Reply:* Open the provisioner, you’ll see it under username. It’s also referenced in the update notes in Google Play.

NicolasR (raison_nicolas@me.com)
2019-05-06 09:58:33

*Thread Reply:* I don’t have an Android device with me 😁

Mark Vonk (mark.vonk@dahvo.com)
2019-05-17 19:51:51

*Thread Reply:* Did you ever find out what it does?

Jason Bayton (jason@bayton.org)
2019-05-17 19:52:28

*Thread Reply:* No, my MobileIron resource above there is Android averse :p

Mark Vonk (mark.vonk@dahvo.com)
2019-05-17 20:02:41

*Thread Reply:* Understandably so 😉

Jason Bayton (jason@bayton.org)
2019-05-17 20:09:27

*Thread Reply:* Jason has left the thread

Mark Vonk (mark.vonk@dahvo.com)
2019-05-17 20:09:54

*Thread Reply:* 👋

Mark Vonk (mark.vonk@dahvo.com)
2019-05-17 20:14:02

*Thread Reply:* Ok ok... I asked around but nobody knew. Should get some info next week.

Jason Bayton (jason@bayton.org)
2019-05-17 20:19:51

*Thread Reply:* I know it's cloud related if that helps!

NicolasR (raison_nicolas@me.com)
2019-05-18 10:59:37

*Thread Reply:* Haha! I’m not an Android averse but my boss didn’t approved yet my expense for it 😬

Jason Bayton (jason@bayton.org)
2019-05-18 11:02:51

*Thread Reply:* @Mirko Bülles tell his boss to get on with it. He'll need a mid-top tier Samsung (A or better), Android One/Pixel and possibly a Huawei too (because they go wrong a lot).

Make it so 👏

😁

NicolasR (raison_nicolas@me.com)
2019-05-18 21:08:28

*Thread Reply:* He did already 😂👍

System Admin (sagar080890@gmail.com)
2019-05-06 07:01:18

Do anyone have idea about azure saml application hosted for iOS

System Admin (sagar080890@gmail.com)
2019-05-06 07:01:26

I have one question please

MichaelM21 (mike.miller815@yahoo.com)
2019-05-07 11:09:03

Is there a way to use MS Teams with Access as a Service (delegated IdP) for iOS devices - Split Tunnel for UDP!

NicolasR (raison_nicolas@me.com)
2019-05-07 12:25:57

*Thread Reply:* Tunnel v4.0 coming soon (Q3 release)

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-05-07 13:57:35

*Thread Reply:* Isn’t there a workaround with MS Authenticator, Access URL within the Tunnel Safari Domains, etc?

NicolasR (raison_nicolas@me.com)
2019-05-07 13:58:03

*Thread Reply:* yes there is with MS Auth, but not ideal as you will allow to connect an unmanaged app

MichaelM21 (mike.miller815@yahoo.com)
2019-05-07 14:14:43

*Thread Reply:* Oh I see, you are right! 🤙

MichaelM21 (mike.miller815@yahoo.com)
2019-05-07 20:45:28

*Thread Reply:* Regarding the allowing unmanaged app - in the KB it is mentioned to disallow unmanaged apps within Access flow.

NicolasR (raison_nicolas@me.com)
2019-05-08 14:14:02

*Thread Reply:* Yes but the problem is that authentication flow is via a managed app even if the data are in an unmanaged app

MichaelM21 (mike.miller815@yahoo.com)
2019-05-08 14:34:51

*Thread Reply:* Ah yes that is what you mean! Got it

Mark Vonk (mark.vonk@dahvo.com)
2019-05-16 10:55:24

*Thread Reply:* I just heard UDP split tunneling will be delivered Q4. Might be a more conservative roadmap..., but not sure if it will make the Q3 release

🙏 MichaelM21
JmB (jean-marc.bichaud@econocom.com)
2019-05-07 12:45:36

Hello guys ! Anyone know a way to bulk retire with CSV / Script / Assemble / API ? Thanks

NicolasR (raison_nicolas@me.com)
2019-05-07 12:49:25

*Thread Reply:* Are you kidding me? Ask @Luc we know it works PERFECTLY for 500 devices within few minutes...

Daniele Crippa (daniele.crippa@asystelitalia.it)
2019-05-08 15:20:57

@Daniele Crippa has joined the channel

Isak Sändh (isak.sandh@tele2.com)
2019-05-08 15:26:08

@Isak Sändh has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2019-05-08 17:39:50

Who’s at MI Live in Brooklyn? We should do a meetup!

👍 Woody
Woody (eric.woodland@trust.tc)
2019-05-08 20:16:29

*Thread Reply:* I know @Paul Troisi is!

Woody (eric.woodland@trust.tc)
2019-05-08 20:16:37

*Thread Reply:* I’m there in spirit, LoL

Paul Troisi (ptroisi@troymobility.com)
2019-05-08 20:28:26

*Thread Reply:* I am under the big red umbrella next to the answer desk. Come say hi Kiran

Woody (eric.woodland@trust.tc)
2019-05-09 14:37:41

*Thread Reply:* Seriously, did no one else make MI Live? The new logo that bad?

macbentosh (benbergthold@gmail.com)
2019-05-09 14:38:51

*Thread Reply:* I'm here!

👍 Woody
macbentosh (benbergthold@gmail.com)
2019-05-09 14:39:18

*Thread Reply:*

Woody (eric.woodland@trust.tc)
2019-05-09 14:40:54

*Thread Reply:* How’s it feel to come to our coast for once @macbentosh? LoL

macbentosh (benbergthold@gmail.com)
2019-05-09 14:41:29

*Thread Reply:* I'm tired and this city is nuts.

😆 Woody
macbentosh (benbergthold@gmail.com)
2019-05-09 14:59:19

*Thread Reply:*

Kiran Patel (kiran@kiranpatel.net)
2019-05-09 15:22:44

*Thread Reply:* I’m one row in front of you to the right lol

Paul Troisi (ptroisi@troymobility.com)
2019-05-12 22:11:01

*Thread Reply:* Hey @macbentosh I was there, sorry I missed you. Would have been great to meet you!

NicolasR (raison_nicolas@me.com)
2019-05-08 20:26:27

And who will be in MI Live Berlin? I will be starting from Tuesday

Mark Vonk (mark.vonk@dahvo.com)
2019-05-08 23:17:29

*Thread Reply:* +1

👍 NicolasR
Jason (jasonh@bridgeway.co.uk)
2019-05-09 10:42:38

*Thread Reply:* Me too - come and visit us at our IronWorks booth! 😀

🍻 NicolasR
NicolasR (raison_nicolas@me.com)
2019-05-09 10:43:13

*Thread Reply:* I want to see a demo of your product...!

JmB (jean-marc.bichaud@econocom.com)
2019-05-09 14:21:01

*Thread Reply:* +1

MichaelM21 (mike.miller815@yahoo.com)
2019-05-09 13:27:37

What could be the issue when devices are not receiving a new user certificate (for Email+) from the Core local CA? Core should try to renew it 60 days before it expires, right? Local CA is valid and issue test certificate also works within the SCEP config

Almar Diehl (almar.diehl@blaud.com)
2019-05-09 14:31:37

*Thread Reply:* The process for renewing the certificates runs at 3:45 AM (UTC), check if that runs OK.

MichaelM21 (mike.miller815@yahoo.com)
2019-05-09 15:26:07

*Thread Reply:* Wow that is some detailed info - thanks!

Rafael (r@kobylinski-ventures.com)
2019-05-10 01:57:40

@Rafael has joined the channel

Isak Sändh (isak.sandh@tele2.com)
2019-05-10 08:48:34

Ohai!

Soo... Many end customers run appconnect and have those configs, policies et al, applied to "all androids". When I'm thinking about preparing for AE with MGP, I'm hesitant about the best way forward with the migrations.

I am curious as for how you all have gone about this, both for core with labels and for cloud with device groups?

Almar Diehl (almar.diehl@blaud.com)
2019-05-10 13:49:30

*Thread Reply:* We have created to Android labels before the migration Android legacy devices Android Enterprise devices

So instead of All Android devices we now use Android Legacy Devices for all config, policies, apps, etc. to be pushed to Android DA devices and Android Enterprise devices for all config, policies, app, etc to be pushed to AE devices.

MichaelM21 (mike.miller815@yahoo.com)
2019-05-10 13:38:07

The new features for iOS 11.3 and above „allow open unmanaged from managed...“ used to have the info in the restriction that this requires a license (Gold bundle). That info is not there anymore - is this feature now in the Silver bundle?

Almar Diehl (almar.diehl@blaud.com)
2019-05-10 15:03:09

*Thread Reply:* Just checked MobileIron Cloud. I know for sure that in Cloud you needed a gold license and therefore you could not use it with a silver license. It now shows up there under the silver license so I assume that MobileIron has changed it from gold to silver.

MichaelM21 (mike.miller815@yahoo.com)
2019-05-10 15:45:58

*Thread Reply:* Ah ok well that sounds different. Gotta ask next week in Berlin 😜

Jason (jasonh@bridgeway.co.uk)
2019-05-11 11:50:30

*Thread Reply:* Oh good, please do. It’ll make a pleasant change for me not to be the only one asking awkward licensing questions there! 🙂

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-05-12 20:43:45

*Thread Reply:* Anyone from #mobileiron here who can answer this question?

Peter Mohr (pm@conscia.com)
2019-05-13 06:41:16

*Thread Reply:* couldn't you always just send down custom xml ? I guess that wouldn't require a specific license?

MichaelM21 (mike.miller815@yahoo.com)
2019-05-13 12:01:33

*Thread Reply:* Technically I guess you are right. But why would we need restrictions within Core if we push down the custom XMLs?

Kiran Patel (kiran@kiranpatel.net)
2019-05-10 14:17:53

was this actually ever controlled by a license?

Mark Vonk (mark.vonk@dahvo.com)
2019-05-10 14:22:01

Not controlled or enforced, just an informal message only

😯 MichaelM21
NicolasR (raison_nicolas@me.com)
2019-05-10 14:22:04

Theoretically it’s a Gold license

NicolasR (raison_nicolas@me.com)
2019-05-10 14:22:18

but MobileIron doesn’t enforce licenses

MichaelM21 (mike.miller815@yahoo.com)
2019-05-10 15:44:54

Yes well controlled or not controlled, I think everybody’s goal is to be licensed correctly even though MI doesn’t enforce it, which is a good thing. But to be honest, we receive reports from MI when gold bundle customers use platinum features, so there is that. So officially it is Gold?

Mark Vonk (mark.vonk@dahvo.com)
2019-05-11 12:31:51

It was Gold, up until now. Not sure why they removed it or if it did actually change. You will have to ask your Account Manager from MI

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-05-13 13:05:37

Hi, anyone here running MI Core, onprem? I was wondering if there are any incentives to update from 10.2 to 10.3. The only one that is of relevance so far is the implementation of the iFrame with the Managed Google Play for Android Enterprise.

Jason Bayton (jason@bayton.org)
2019-05-13 13:29:39

*Thread Reply:* Samsung Knox features also!

👍 Adrian Patrascu
Almar Diehl (almar.diehl@blaud.com)
2019-05-13 14:34:43

*Thread Reply:* Ability to have 2 entries for the same Android app in apps@work. 1x in-house 1x PlayStore. Especially important during migration to AE.

👍 Adrian Patrascu, Duncan
Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-05-14 09:13:26

*Thread Reply:* Thank you for sharing these details 🙂! Very helpful.

Jason (jasonh@bridgeway.co.uk)
2019-05-15 08:03:04

If anyone on here is at MobileIron Live! Berlin, please do pop by our IronWorks booth and say hello!

👍 Duncan
macbentosh (benbergthold@gmail.com)
2019-05-16 16:20:14

what admin rights allow an admin to sync ldap?

Pierre (pierre.tabanous@digitaldimension.fr)
2019-05-16 16:50:37

*Thread Reply:* If you mean “Resync with LDAP” ,i would say the “Manage users” right, but not sure 100%.

Jason Bayton (jason@bayton.org)
2019-05-16 18:32:05

*Thread Reply:* Dude, read a manual 😆

macbentosh (benbergthold@gmail.com)
2019-05-16 20:01:58

*Thread Reply:* you guys are my manual

🤣 Almar Diehl
JmB (jean-marc.bichaud@econocom.com)
2019-05-17 10:43:17

Hello guys, anybody knows the best way to get reports on App tunnel usage ? Because the App Tunnel tab (MIFS Console > Apps > App tunnel) is not really pratical : no export & few informations

Almar Diehl (almar.diehl@blaud.com)
2019-05-17 10:56:52

*Thread Reply:* Have a look at Assemble. With Assemble you can export the AppTunnel lists.

JmB (jean-marc.bichaud@econocom.com)
2019-05-17 14:18:23

*Thread Reply:* Unfortunatly, no assemble in the picture.

MichaelM21 (mike.miller815@yahoo.com)
2019-05-18 06:38:37

We have two cloud services federated with ADFS, but only one will be activated for Access As A Service Delegated IdP. So If ALL mobile traffic will be routed to Access that will also include the requests for the other federated cloud service which we don‘t want to use with Access, right?

Ladislav Blazek (ladislav@lblazek.cz)
2019-05-20 10:14:35

*Thread Reply:* If you have delegated IdP setup then you decide on ADFS which auth traffic is forwarded to Access

MichaelM21 (mike.miller815@yahoo.com)
2019-05-20 14:16:50

*Thread Reply:* Right - so I need to configure this separately on the ADFS, not part of the MobileIron IdP Setup Powershell script?

MichaelM21 (mike.miller815@yahoo.com)
2019-05-20 10:08:58

There is no way to build a dynamic label based on an app which is installed on an iOS device, right?

Ladislav Blazek (ladislav@lblazek.cz)
2019-05-20 10:12:19

*Thread Reply:* You are right. We do such things (automations based on app install status) via API.

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-05-20 10:12:56

*Thread Reply:* Great, thank you.

JordanOC (jordan.oc@hotmail.com)
2019-05-20 11:59:46

@JordanOC has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2019-05-20 18:45:59

Does anyone know if it's possible to trigger an LDAP sync of MI Core through a script? Only way we've found was assemble but was hoping there was a straight API endpoint exposed for that.

Ronald Reerds (ronald.reerds@blaud.com)
2019-05-20 20:12:18

@Ronald Reerds has joined the channel

Jason Bayton (jason@bayton.org)
2019-05-20 23:27:18

AFAIK @Kiran Patel assemble is the way.

👍 Kiran Patel, MichaelM21
Michael (michaelcadogan26@gmail.com)
2019-05-21 00:06:14

@Michael has joined the channel

Daniël Kraaijeveld (daniel.kraaijeveld@twentynice.com)
2019-05-21 09:24:43

Also relevant here.

} Daniël Kraaijeveld (https://mobilxperts.slack.com/team/UDW1MU0LW)
Andrew Olpin (andy@olpin.us)
2019-05-21 13:44:20

*Thread Reply:* Is it possible it's trying to download the old MI Cloud specific management app, instead of the new converged one?

Daniël Kraaijeveld (daniel.kraaijeveld@twentynice.com)
2019-05-21 14:17:31

*Thread Reply:* Hmm, probably not. The Go client is selected as DPC within the Zero Touch config

Nils Gerloff (nils.gerloff@your-side.de)
2019-05-21 10:57:38

Has anyone an idea? Failed to start Tomcat status 4

Mark Vonk (mark.vonk@dahvo.com)
2019-05-23 08:55:30

*Thread Reply:* Which Tomcat? MIFS or MICS? Did you update the Core? On the console, can you see more error messages? Is MySQL running? I would suggest to contact MobileIron support as it's high priority and intervention on the Linux might be needed....

Thomas B. (tbosboom@apple.com)
2019-05-23 12:07:22

@Thomas B. has joined the channel

macbentosh (benbergthold@gmail.com)
2019-05-24 14:46:21

Alright @here like @Jason Bayton asked I have looked through the manual and could not find out how to add an app configuration for an additional space. I would like a global config and a config for our clinical shared devices so the app will auto deploy on enrollment.

❤️ Jason Bayton
Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:47:12

@Daniël Kraaijeveld can you share your settings in ZT Portal for that device?

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:47:27

@Daniël Kraaijeveld Which device/type is this?

macbentosh (benbergthold@gmail.com)
2019-05-24 14:47:50

zt?

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:48:13

sorry...,my mistake

macbentosh (benbergthold@gmail.com)
2019-05-24 14:48:19

I have for testing created a space under device spaces

macbentosh (benbergthold@gmail.com)
2019-05-24 14:48:50

also core btw

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:50:11

@macbentosh Not all config options are possible in all spaces, especially for AE!

macbentosh (benbergthold@gmail.com)
2019-05-24 14:50:41

only iOS

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:50:58

iOS more extended than AE.

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:51:24

If you have a specific use case send me you input and I will send it to our Android PM

macbentosh (benbergthold@gmail.com)
2019-05-24 14:51:40

i dont use android

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:51:55

ok, so this is pure iOS deployment?

macbentosh (benbergthold@gmail.com)
2019-05-24 14:52:37

for this workflow yes.

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:55:17

Not sure if this is possible, i can ask around

macbentosh (benbergthold@gmail.com)
2019-05-24 14:56:23

that screenshot I sent I just want to have a config for global and a config for the clinical device space

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:57:22

I understand, but haven't used this before, so can not say if that works yes or no, or is available at all.

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:59:02

@Daniël Kraaijeveld I need to see the DPC config to see what is happening. What if you use another ZT enabled device to test with?

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 14:59:08

Like a Nokia or Pixel?

Daniël Kraaijeveld (daniel.kraaijeveld@twentynice.com)
2019-05-24 15:00:08

@Mirko Bülles Devices are Motorola One, nothing really fancy going on with the config. Can’t imagine that being the problem since it does work sometimes.

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 15:00:30

That is not really a lot, you miss the stuff in the DPC config

Daniël Kraaijeveld (daniel.kraaijeveld@twentynice.com)
2019-05-24 15:00:41

I have not tried other devices yet. Customer only has these within the portal.

Daniël Kraaijeveld (daniel.kraaijeveld@twentynice.com)
2019-05-24 15:01:18

I’ve used this config in other scenario’s without any issues. Also used it with a DPC Config for this customer but that gave the same result.

Mirko Bülles (mbulles@mobileiron.com)
2019-05-24 15:01:19

Can you private slack me

MichaelM21 (mike.miller815@yahoo.com)
2019-05-27 18:00:52

iOS Email+ - can users work with folders and subfolders for Exchange notes within Outlook? It looks like Email+ only syncs the notes in the default folder so to speak. No notes folders are visible within Email+, so I guess this is not yet supported. Does anyone know this one?

Boris W. (bwl@ibelem.com)
2019-05-28 08:37:09

Hi all, I have an issue when creating web apps on MI Cloud (with Android Enterprise). I upload my icon (png or jpg in 512x512) but the upload fails... I create successfully 15 other web apps yesterday with the same icon and I don't have any issue... Any idea ?

Jason Bayton (jason@bayton.org)
2019-05-28 08:41:47

*Thread Reply:* As it's an iFrame to a Google service I don't suppose there's a lot of troubleshooting we can do. Does it accept any other image? If not log it with MI.

👍 Boris W.
Boris W. (bwl@ibelem.com)
2019-05-28 08:43:24

*Thread Reply:* I tried other images and it does not work

Boris W. (bwl@ibelem.com)
2019-05-28 11:13:20

*Thread Reply:* Solved by the MI Support... They don't make anything... They just do the same process as me and now, it works... 🙄🙄

😂 JmB
NicolasR (raison_nicolas@me.com)
2019-05-28 12:27:09

*Thread Reply:* karma Boris... karma

😂 Boris W.
noodl35 (david.v.nguyen@zurichservices.com)
2019-05-28 16:53:18

Anyone ever see the Self Diagnosis (Maintenance tab > Self Diagnosis) function get disabled out of now where in the MICS System Manager? It was enabled for the longest time.

MichaelM21 (mike.miller815@yahoo.com)
2019-05-29 16:24:00

Do I have to add an Active Directory group into the LDAP config on Core before I can use it within a filter label?

Jason Bayton (jason@bayton.org)
2019-05-29 16:26:20

*Thread Reply:* I always have

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-05-29 16:28:43

*Thread Reply:* Ok thanks - It seems with some versions of Core you have to re-enter the password for the ldap user when making changes!

Andrew Olpin (andy@olpin.us)
2019-05-29 16:48:17

*Thread Reply:* Yes, you have to add the group in the LDAP config in core. Otherwise, Core won't poll that group and it won't function.

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-05-29 19:45:40

*Thread Reply:* Thanks! 🤙

macbentosh (benbergthold@gmail.com)
2019-05-29 16:25:55

anyone @here use the single sign in webclip have time for a chat?

Kiran Patel (kiran@kiranpatel.net)
2019-05-29 17:42:03

*Thread Reply:* what do you mean by single sign in webclip? Like a webclip to an internal app that we have SSO for to auth to that web app or something else?

macbentosh (benbergthold@gmail.com)
2019-05-29 17:55:05

*Thread Reply:* multi user

Kiran Patel (kiran@kiranpatel.net)
2019-05-29 18:00:34

*Thread Reply:* ah okay my bad, sorry hadn't done that

Kiran Patel (kiran@kiranpatel.net)
2019-05-29 18:01:13

Has anyone here created a powershell script to send a message using the MobileIron Core API. Reviewing the API documentation and doing some quick testing with postman with the block below and need some help

Ladislav Blazek (ladislav@lblazek.cz)
2019-06-04 17:32:55

*Thread Reply:* Hi, I use following URL https://CoreFQDN/api/v2/devices/action?adminDeviceSpaceId=1&actionType=SEND_MESSAGE with POST method. Your data parameter looks fine.

Ladislav Blazek (ladislav@lblazek.cz)
2019-06-04 17:53:00

*Thread Reply:* I have made PowerShell class implementing most of the MI’s API calls in Powershell. Here is example of my SendMessageToDevice method:

[Object] SendMessageToDevice([String]$DeviceUUID, [String]$Mode = “pns”, [String]$Subject = “Hello world!“, [String]$Message = “Hello world!“) { $Uri = $this.ApiEndPointV2 + “/devices/action?adminDeviceSpaceId=” + $this.AdminSpaceID + “&actionType=SEND_MESSAGE” $Params = @{ “note” = “Message” “deviceUuids” = @($DeviceUUID) “additionalParameters” = @{ “mode” = $Mode “subject” = $Subject “message” = $Message } } $Response = $this.RestPost($Uri, $Params) return $Response }

[Object] RestPost([String]$Uri, [Hashtable]$Params) { Try { $this.WriteLog(“Debug”, “POST ” + $Uri) $Json = ConvertTo-Json -InputObject $Params $this.WriteLog(“Debug”, “Params: ” + $Json) $Response = Invoke-RestMethod -Headers $this.Headers -Uri $Uri -ContentType “application/json” -Body $Json -Method ‘Post’ } Catch { $this.WriteLog(“Error”, $_.Exception) return $null } return $Response }

Kiran Patel (kiran@kiranpatel.net)
2019-06-05 03:00:33

*Thread Reply:* Thank you so much for sharing this!

Kiran Patel (kiran@kiranpatel.net)
2019-06-05 03:01:31

*Thread Reply:* you're defining most of these variables elsewhere in the script right?

Ladislav Blazek (ladislav@lblazek.cz)
2019-06-05 07:45:38

*Thread Reply:* PowerShell supports objects since version 5. So I have a class implementing most of the API calls as a methods. So basically I just instantiate a new object using this class (it takes JSON file as a parameter for core FQDN and API credentials). Then I just call individual methods like SendMessageToDevice with parameters. Real world usage then looks like this: . “/path/to/class.ps1” $MIPS = New-Object MIPS -ArgumentList “./config/core_examples.json” $Result = $MIPS.SendMessageToDevice(“91d12427-c730-4b1f-a0a7-44a94ee3c7a6”, “pns”, “Some subject”, “Some message”)

Kiran Patel (kiran@kiranpatel.net)
2019-05-29 18:01:54
macbentosh (benbergthold@gmail.com)
2019-05-29 19:49:09

well I have a ticket with support. When A user signs out of the multi user page it just spins and will only prompt again for login after a reboot of the device.

MichaelM21 (mike.miller815@yahoo.com)
2019-05-30 19:57:14

Enabling SAML for the Self-Service Portal is really only relevant for local admin users, not for regular LDAP users?

MichaelM21 (mike.miller815@yahoo.com)
2019-05-30 19:59:00
Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-05-31 08:15:00

Hi Guys, for those that are using Mobile@Work in a On Premise environment and have blacklist of Android apps implemented this is helpful. We have seen it at the middle of this week and Android devices were getting quarantined: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000fyHlSAI

Aris (lambropo@gmail.com)
2019-06-03 21:36:33

@Aris has joined the channel

Jeff Mosher (jmosher@ca.ibm.com)
2019-06-04 17:24:24

@Jeff Mosher has joined the channel

ninex (me@willworland.com)
2019-06-04 23:02:08

@ninex has joined the channel

Dan Hughes (danh@avr.co.uk)
2019-06-05 09:42:43

@Dan Hughes has joined the channel

Dan Hughes (danh@avr.co.uk)
2019-06-05 14:31:57

Hi Guys and Girls, Is it possible to restrict a device to a single URL and prevent the device from navigating away via website menu bar and disable the URL bar from appearing please? My current thought is using Web@Work in Kiosk mode? This is using MobileIron Cloud and on an iOS device running the latest iOS and in DEP.

aaron (aaron@groundctl.com)
2019-06-05 15:36:02

You can create a web clip, and check the “Full Screen” option.

aaron (aaron@groundctl.com)
2019-06-05 15:36:06
aaron (aaron@groundctl.com)
2019-06-05 15:36:52

I don’t believe it works in kiosk mode. But you can hide all other apps.

Andrew Olpin (andy@olpin.us)
2019-06-05 15:48:35

I thought the full screen web clip was more-or-less retired?

Mark Vonk (mark.vonk@dahvo.com)
2019-06-05 15:55:23

I also thought full screen is or was already deprecated? You can easily create your own app based on webkit to open only that particular website. Deploy the app as an in-house app and lock the device down to single app mode.

Mark Vonk (mark.vonk@dahvo.com)
2019-06-05 17:25:08

Weird, that contradicts with; https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#page104 where fullscreen is not even documented anymore.

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-06-06 07:01:04

Did anyone saw the "news" about the new app icons? What do you think about it?

👍 Marc van der Kooy, NicolasR
👎 Marc van der Kooy, MichaelM21
Almar Diehl (almar.diehl@blaud.com)
2019-06-06 07:31:30

*Thread Reply:* I like the new icons but hate it that they change the icons 🙂 Think of all the manuals/instruction cards that need to be changed around the globe…..

👍 MichaelM21
NicolasR (raison_nicolas@me.com)
2019-06-06 08:06:38

*Thread Reply:* 😂😉

MichaelM21 (mike.miller815@yahoo.com)
2019-06-06 11:54:58

Which Sentry service do I need to use within the Docs@Work config for OneDrive for Business? Custom or <IP_Any>?

Mark Vonk (mark.vonk@dahvo.com)
2019-06-06 12:17:57

IP Any is for Windows 10 or Android (Tunnel). For OneDrive with D@W I would choose <ANY>

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-06-06 13:34:40

*Thread Reply:* Ah yes sorry my bad. URL pattern would be like tenant.my-sharepoint.com 443, right

MichaelM21 (mike.miller815@yahoo.com)
2019-06-06 14:04:51

*Thread Reply:* The question is do I really need the sentry rules? I don‘t care about sending the Office365 traffic through Sentry, I only want to provide the OneDrive config for the users

Mark Vonk (mark.vonk@dahvo.com)
2019-06-06 14:33:49

*Thread Reply:* If you do not want to route the traffic through Sentry, you should not create a sentry rule. Just add the content site, without the rule and the traffic will not be routed through Sentry.

🙏 MichaelM21
Justin Butts (justin.butts777@gmail.com)
2019-06-06 19:27:39

@Justin Butts has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-06-06 20:40:43

What do you guys think about using DNS round robin for Sentry HA instead of a LB. Anyone using it?

NicolasR (raison_nicolas@me.com)
2019-06-06 21:04:49

BAAAAAAD IDEA

😳 MichaelM21
NicolasR (raison_nicolas@me.com)
2019-06-06 21:05:31

Won’t work if cert based Auth enabled

MichaelM21 (mike.miller815@yahoo.com)
2019-06-06 21:37:23

*Thread Reply:* That is interesting, because we use Kerberos Constrained Delegation on these ActiveSync Sentrys. Can you explain a little more why this won‘t work - because of the missing stickiness?

NicolasR (raison_nicolas@me.com)
2019-06-06 22:59:00

*Thread Reply:* Cert based Auth requires the session to be alive for more time than regular http sessions. I mean there are multiple connections from the client to the server and it’s mandatory to keep the same server for the entire handshake and session. DNS cannot handle the requirement to keep the same server (A) for 1 session... therefore when the secondary server (B) see the connection it drops it because the handshake was not done with server B but server A

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-06-07 08:37:02

*Thread Reply:* Got it.. thank you!

NicolasR (raison_nicolas@me.com)
2019-06-06 21:05:49

DNS doesn’t handle session stickiness

Jason Bayton (jason@bayton.org)
2019-06-06 22:42:14

Make sure you use dynamic IPs while you're at it. Really up the ante on the will it work roulette 😁

Michael Goad (michaelpat87@gmail.com)
2019-06-10 15:45:01

@Michael Goad has joined the channel

Dan Hughes (danh@avr.co.uk)
2019-06-10 16:38:56

Just wanted to thank those who replied to my message. I'm new to Slack and haven't figured out how to reply in thread to the message I posted 😕

Peter Mohr (pm@conscia.com)
2019-06-11 06:41:39

*Thread Reply:* @Dan Hughes, welcome! Just click "start a thread" 🙂

Peter Mohr (pm@conscia.com)
2019-06-11 06:41:53

*Thread Reply:* Like this:

macbentosh (benbergthold@gmail.com)
2019-06-10 23:22:02

any good way to push a .ical shared cal to android users?

Prip (prithviprasadk@hotmail.com)
2019-06-12 09:04:21

@Prip has joined the channel

Phil Hackett (phil.hackett83@gmail.com)
2019-06-12 11:32:08

We need to migrate our SCEP profiles from SHA-1 to SHA-2.

Our Wi-Fi, VPN and Email configurations each have their own SCEP profiles for identity certificates. Over 100k SHA-1 certs have been issued to devices.

We use a Microsoft CA, but it can only issue 900 new certs per hour.

Has anyone done a large migration like this before? Any tips or things to avoid?

Ladislav Blazek (ladislav@lblazek.cz)
2019-06-12 11:59:43

*Thread Reply:* Hi Phil,

if the MS CA is used for other functionality/devices then you really don’t want to overload it.

So my recommendation is:

  1. Prepare new configs with sha256 certs
  2. move existing configs to manual labels to keep it on existing devices but do not issue new sha1 certs to newly registered.
  3. Deliver new configs to newly registered devices via filtered label.
  4. Use API/Assemble for migration of existing devices in waves.

I did similar migration for 40k devices with exchange/wifi/vpn configs. Just calculate amout of devices per hour/day and then let the script run on scheduled basis.

Feel free to contact me directly if you need help with that.

Ladislav Blazek (ladislav@lblazek.cz)
2019-06-12 12:13:05

*Thread Reply:* Be aware that Assemble is slow as hell. That is why I wrote PowerShell class implementing MI API. Using API directly will massively speed up the process.

Phil Hackett (phil.hackett83@gmail.com)
2019-06-12 12:26:12

*Thread Reply:* That’s awesome, thanks Ladislav. Will be in touch if we need help.

New CA should be dedicated to mobile devices, so we can push it the limit.

We’ve got first hand experience on the speed of Assemble 🙄

Ladislav Blazek (ladislav@lblazek.cz)
2019-06-12 12:28:16

*Thread Reply:* It is sometimes like 40 mins by Assemble compared to 2 mins with API. Assemble is terribly slow if you need to retrieve data for huge amount of devices.

Ladislav Blazek (ladislav@lblazek.cz)
2019-06-12 12:33:56

*Thread Reply:* During the last migration we did the crucial parts of the migration were: 1. progress monitoring, 2. user notifications - we sent email/push notification to every user 1 day before migration.

Ladislav Blazek (ladislav@lblazek.cz)
2019-06-12 13:25:00

*Thread Reply:* Last hint: do not underestimate additional load on Sentrys and EAS backend. Exchange config re-push = email re-sync on devices. From user experience it means all contact/mails/calendar entries will dissapear.

🙏 Phil Hackett
Justin Butts (justin.butts777@gmail.com)
2019-06-12 16:00:21

Anyone moved from On-Prem to Cloud recently? Wanting a general scope out of what's involved

Justin Butts (justin.butts777@gmail.com)
2019-06-12 16:00:42

Haven't moved anyone from On-Prem to Cloud in any MDM, wondering if there's anything MI does to make that as painless as possible

Mark Vonk (mark.vonk@dahvo.com)
2019-06-12 16:03:20

*Thread Reply:* MobileIron will release a tool to migrate users without re-enrollment. But it is not available yet. You can hire professional services to do the same: they will set up the tool and help migrate the users. You will need to configure the Cloud and configs still.

Justin Butts (justin.butts777@gmail.com)
2019-06-12 16:03:49

*Thread Reply:* Oooh so I can still obtain that tool, I'm just responsible for configuring it?

Mark Vonk (mark.vonk@dahvo.com)
2019-06-12 16:04:38

*Thread Reply:* No not yet. Only PS have access to it for now

Justin Butts (justin.butts777@gmail.com)
2019-06-12 16:07:58

*Thread Reply:* Gotcha - magic question - any idea when that tool will be released for general use?

Mark Vonk (mark.vonk@dahvo.com)
2019-06-12 16:42:52

*Thread Reply:* I really have no idea about that. If you have an account or partner manager, you might want to ask them.

Andrew Olpin (andy@olpin.us)
2019-06-12 18:32:41

*Thread Reply:* My old contacts @ MobileIron said the tool was pretty much there. Reach out to your MI account team for help.

Justin Butts (justin.butts777@gmail.com)
2019-06-12 19:23:50

*Thread Reply:* Thanks!

NicolasR (raison_nicolas@me.com)
2019-06-12 23:23:22

*Thread Reply:* The “LUI migration tool” is almost there... some fine tuning to make is usable by trained partners I guess and we’re here. LUI stands for “Low User Impact” 😉 I’m currently working with a very large customer (150k+ devices on Core) to migrate to Cloud with this tool.

It works frictionless for iOS and Android DA. For AE Android devices we need to find the right way to do that: either through the API available in P or through another magic thing we will do inside our client app

Johannes Harbs (harbs.johannes@gmail.com)
2019-06-13 13:25:55

*Thread Reply:* @NicolasR is the tool only for migration from MI On-Prem to Cloud or also for other scenarios? On-Prem to On-Prem, Cloud to Cloud, different EMM to MI?

NicolasR (raison_nicolas@me.com)
2019-06-13 13:49:39

*Thread Reply:* Only CORE to CLOUD (soon we will support Connected Cloud to CLOUD)

👍 Johannes Harbs
Paul Troisi (ptroisi@troymobility.com)
2019-06-21 14:11:01

*Thread Reply:* @Justin Butts Although the Core > MIC LUI is "ready", PS is still working out some minor tweaks in it. The CC > MIC will not be available until Q3 (most likely, end of Q3). There are definetely caveats you should be aware of with using LUI. Most important is that the Apple MDM needs to be imprted into the Cloud first, not in arrears to prevent the iOS chain from being broken. A series of CLI commands on the Core can get that extracted for import into the Cloud. One of the challenges with the CC migration! There are other options available to migrate to and from UEM platforms. DM me if you need to discuss. Good luck!

👍 Justin Butts, Mark Vonk
Davo (drdavematthews@gmail.com)
2019-06-13 05:07:11

@Davo has joined the channel

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-06-13 11:29:33

Hi Guys, has anyone done a Samsung Knox integration with MI Core? I would be interested to find out if you worked based on this star guide and if you had any challenges along the way: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000Qy4yCAC

Mark Vonk (mark.vonk@dahvo.com)
2019-06-13 12:40:43

*Thread Reply:* Yes works fine. Basically there is no connection between KME and Core (as you would have with DEP). You configure KME and there you configure the MDM to connect to. 30 minutes work.

👍 Adrian Patrascu
Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-06-13 13:25:15

*Thread Reply:* Nice, thank you for confirming Mark 🙂! Looking forward to see how this looks.

Wouter Troost (wt@mob.co)
2019-06-13 13:16:10

@Wouter Troost has joined the channel

Developer (anujbahuguna.dev@gmail.com)
2019-06-13 16:21:22

@Developer has joined the channel

macbentosh (benbergthold@gmail.com)
2019-06-13 18:45:03

Anyone know how to give the user an option to download an ebook?

macbentosh (benbergthold@gmail.com)
2019-06-13 18:45:07

like via the appstore

Michael Goad (michaelpat87@gmail.com)
2019-06-13 21:42:32

*Thread Reply:* For iOS I would recommend using VPP to purchase and push Books (iBooks) to your users, you would retain ownership of the book and would also manage distribution of the content. So you can publish the books to the user to choose to read

👍 Justin Butts
Michael Goad (michaelpat87@gmail.com)
2019-06-13 21:42:41

*Thread Reply:* Is that more of what you are looking for?

Michael Goad (michaelpat87@gmail.com)
2019-06-13 21:46:44

*Thread Reply:* From my knowledge there is no way to push apps from public App Store, you would essentially purchase books via VPP and publish to the books app to create your own "bookstore" so to speak. Problem there is you have to purchase all the books users can't just choose. So I would recommend having your users ask which content they want to give you some materials to bring to the books app

Luiz Nascimento (luizgmn@br.ibm.com)
2019-06-13 22:14:17

@Luiz Nascimento has joined the channel

Brian Smith (brian@hexnode.com)
2019-06-14 08:43:06

@Brian Smith has joined the channel

Keith Metzger (kmetzger@christianacare.org)
2019-06-20 18:11:47

@Keith Metzger has joined the channel

Brian Irish (brian.m.irish@christianacare.org)
2019-06-20 18:32:51

@Brian Irish has joined the channel

Phil Burk (philburk@mac.com)
2019-06-21 13:17:09

@Phil Burk has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-06-24 15:00:36

Hello guys, I need to extend the partition of MobileIron Core. Is this article from 2015 still valid: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxzSCAS

Any issues I might run into? Appreciate sharing your experiences.

macbentosh (benbergthold@gmail.com)
2019-06-24 20:21:54

Anyone @here have info on these messages. I have seen them forever from CORE but my infosec team is freaking out now that we are in the SEIM…

macbentosh (benbergthold@gmail.com)
2019-06-24 20:21:55

Jun 24 19:01:51 mi stunnel: PRODUCT=Core10.2.0.033,Jun 24 19:01:48 mi stunnel: LOG3[542756]: SSL_accept: Peer suddenly disconnected

Justin Butts (justin.butts777@gmail.com)
2019-06-24 20:24:21

Make sure SSL is on for the port if this is mail related at all

Justin Butts (justin.butts777@gmail.com)
2019-06-24 20:24:58

@macbentosh I think it just means that it was disconnected before SSL was actually negotiated

macbentosh (benbergthold@gmail.com)
2019-06-24 20:25:45

ok

SS (sethuselvaeee@gmail.com)
2019-06-25 03:05:49

@SS has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-06-25 11:55:18

Is there a way to pre-configure Microsoft Outlook for Android device admin enrollents with MobileIron Core?

Jason Bayton (jason@bayton.org)
2019-06-25 12:18:01

*Thread Reply:* If outlook supports XML config, and you’ve another means for pushing it to the device, probably.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-06-25 14:06:48

*Thread Reply:* I think this is not possible in this setup. But you can do it with Android Enterprise.

MichaelM21 (mike.miller815@yahoo.com)
2019-06-25 21:55:25

*Thread Reply:* Ok thanks. Does anyone know if Outlook for iOS or Android Enterprise can be used with Lotus Notes and KCD?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-06-26 07:59:16

*Thread Reply:* maybe it works but it is not officially supported, so I wouldn't do it

macbentosh (benbergthold@gmail.com)
2019-06-25 15:13:25

Looking for best practices as it comes to replacing a very broad label with a more refined one…EXP. have a config pushed to the IOS label and want to add a label that allows me more flexibility. In the past if i remember I apply the new label and let it set and remove the old label. All without interruption i hope.

macbentosh (benbergthold@gmail.com)
2019-06-25 15:19:06

forgot the @here again

Andrew Olpin (andy@olpin.us)
2019-06-25 15:22:27

Yes,. Set up the new label, and apply the same configs....then wait a while before you remove the configs from the old label

👍 Kiran Patel
Cherish Dickey (dickey_cherish@bah.com)
2019-06-25 18:53:20

@Cherish Dickey has joined the channel

Cherish Dickey (dickey_cherish@bah.com)
2019-06-25 19:19:54

Not sure if this question is better asked here or in the Android channel but I am trying to understand the process of locally hosting an in house app when “install this app for Android Enterprise” is checked in MI Core. Documentation states, that the apk definition file must be uploaded to the Google Play Console and there will be a license key that we pull from the console and upload to the Core but I’ve been unable to find clear guidance on where to actually upload the definition file in the Console. Anyone have any experience with this?

Almar Diehl (almar.diehl@blaud.com)
2019-06-25 19:29:38

*Thread Reply:* The definition file is uploaded in Google Play at the same place where you can upload an app. But before being able to upload the definition file you have to enable Managed Google Play for the app and select the checkbox just above the APK/definition upload frame.

MichaelM21 (mike.miller815@yahoo.com)
2019-06-25 21:12:15

*Thread Reply:* Upgrade to Core 10.3 which will make Inhouse app deployment much easier!

👍 Cherish Dickey, Adrian Patrascu
Almar Diehl (almar.diehl@blaud.com)
2019-06-25 21:32:39

*Thread Reply:* Not easier for self-hosted applications. These still go through the cumbersome Google Play process.

MichaelM21 (mike.miller815@yahoo.com)
2019-06-25 21:53:39

*Thread Reply:* I thought the virtual private Google Play Store is a part of 10.3? 😳

Cherish Dickey (dickey_cherish@bah.com)
2019-06-26 00:02:35

*Thread Reply:* Thanks @Almar Diehl these were the steps I was missing Go to Pricing & Distribution > User programs > Managed Google Play. Check the Turn on advanced managed Google Play features box. Check the Privately target this app to a list of organizations box. Click Choose Organizations.

Almar Diehl (almar.diehl@blaud.com)
2019-06-26 08:24:41

*Thread Reply:* Yes @MichaelM21 it is but you can only use it for APKs. If you want to host the APK on you own server and want to upload a definition file to Google Play Store you can not use the Google Play iFrame.

MichaelM21 (mike.miller815@yahoo.com)
2019-06-26 12:09:57

*Thread Reply:* Ok that means I can upload an APK to Core in distribute it directly to the device without publishing the app in Google Play before?

Almar Diehl (almar.diehl@blaud.com)
2019-06-26 12:33:12

*Thread Reply:* No, you always have to publish. Either an APK, using the iFrame, or a definition file using Google Play Console.

Jason Bayton (jason@bayton.org)
2019-06-26 14:39:30

*Thread Reply:* You can push APKs to devices from Core, but they won’t show up in Google play, they’ll install silently.. they’ll also be subject to less than ideal caveats, so Play is the better route

MichaelM21 (mike.miller815@yahoo.com)
2019-06-27 08:35:49

*Thread Reply:* So basically what you are saying is that Core 10.3 is possible to deploy an APK directly to the device. With this private virtual Google Play Store integration without the need of a developer account?

Jason Bayton (jason@bayton.org)
2019-06-27 08:39:52

*Thread Reply:* iFrame requires no dev account.

Megan ODonnell (omegan@us.ibm.com)
2019-06-25 19:52:05

@Megan ODonnell has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-06-26 17:53:48

How do you guys configure a WiFi config with a Preshared Key - a variable needs to be used in the config, right? (Core)

NicolasR (raison_nicolas@me.com)
2019-06-26 21:13:47

*Thread Reply:* $NULL$ and in the field at the right just enter your key 😉

🙏 MichaelM21
Mark Vonk (mark.vonk@dahvo.com)
2019-06-26 19:33:11

Variable? What kind of Wi-Fi is it? WEP/WPA(2, personal or enterprise?

MichaelM21 (mike.miller815@yahoo.com)
2019-06-27 07:49:33

*Thread Reply:* WPA2 Enterprise

Mark Vonk (mark.vonk@dahvo.com)
2019-06-27 10:23:26

*Thread Reply:* Ok, you really do not need to use a variable, but you can replace $PASSWORD$ with $NULL$ indeed, assuming you need users to authenticate with accounts. If users authenticate with a client cert, you can leave it as is.

MichaelM21 (mike.miller815@yahoo.com)
2019-06-27 10:32:54

*Thread Reply:* They don‘t authenticate with an account, there is only a PSK which the user don’t know

Mark Vonk (mark.vonk@dahvo.com)
2019-06-27 10:35:17

*Thread Reply:* WPA 2 Enterprise does not use a PSK. The “enterprise” part means you will have a radius server for authentication. So I am not sure what you are trying to do now…

MichaelM21 (mike.miller815@yahoo.com)
2019-06-27 18:09:33

*Thread Reply:* Sorry for the misunderstanding - obviously I am not a golfer as The Big Lebowski would say! 🙈

Justin Butts (justin.butts777@gmail.com)
2019-06-26 20:10:58

Typically it's just choose the correct security type and enter the PSK

🙏 MichaelM21
Joe Baker (jabaker@us.ibm.com)
2019-06-27 16:31:43

@Joe Baker has joined the channel

Ankit (aamin46@gmail.com)
2019-06-28 22:26:58

@Ankit has joined the channel

mahiroux (mhyb.mk@gmail.com)
2019-07-01 10:36:25

#mobileiron We have already federated ADFS our existing production MI access tenant which is registered to Production Core(SaaS).Can i also federate Same ADFS with another Access tenant which will be registered on test core?

NicolasR (raison_nicolas@me.com)
2019-07-01 15:59:32

*Thread Reply:* it depends on:

  • Your Access setup (is it Delegated IDP or IDP Proxy)
  • If you have a separate Service Provider
Ladislav Blazek (ladislav@lblazek.cz)
2019-07-01 19:18:17

*Thread Reply:* In short if you deployed Access in IdP proxy mode then yes.

mahiroux (mhyb.mk@gmail.com)
2019-07-02 08:29:35

*Thread Reply:* @NicolasR It is deployed as IDP Proxy.We don’t have a separate SP.Will that work in this scenario?

NicolasR (raison_nicolas@me.com)
2019-07-02 08:38:44

*Thread Reply:* No, because the federated pair is linked to the Service Provider

NicolasR (raison_nicolas@me.com)
2019-07-02 08:38:51

*Thread Reply:* what is your use case?

mahiroux (mhyb.mk@gmail.com)
2019-07-02 09:41:20

*Thread Reply:* We currently have aADFS-Office 365 federated pair configured on Access tenant.Our live MI core is registered to core.We would like to register our test core as well so that test users can also leverages the functions of access for the same AdFS - SP federation.

NicolasR (raison_nicolas@me.com)
2019-07-02 09:42:06

*Thread Reply:* this cannot work unfortunately

NicolasR (raison_nicolas@me.com)
2019-07-02 09:42:24

*Thread Reply:* it will require another O365 tenant at least

NicolasR (raison_nicolas@me.com)
2019-07-02 09:42:31

*Thread Reply:* or

NicolasR (raison_nicolas@me.com)
2019-07-02 09:42:56

*Thread Reply:* if O365 supports multiple Identity providers, maybe you can create another Relying party on the ADFS

mahiroux (mhyb.mk@gmail.com)
2019-07-02 14:00:10

*Thread Reply:* Today i got a confirmation from Mobileiron support that says we can register up-to 6 cores on an access tenant and can use same Federated pair.Let me test that tomorrow and see how it goes.

macbentosh (benbergthold@gmail.com)
2019-07-02 18:37:40

Anyone @here install ivanti on their MI VMs?

NicolasR (raison_nicolas@me.com)
2019-07-02 22:10:12

*Thread Reply:* You are not allowed to install any third party software unless MobileIron support or PS advise you. :malepoliceofficer::skintone2:😉

macbentosh (benbergthold@gmail.com)
2019-07-02 22:10:27

*Thread Reply:* good

NicolasR (raison_nicolas@me.com)
2019-07-02 22:11:42

*Thread Reply:* What’s the need? Deploy anti virus or equivalent?

Amina Kabeer (amina@mitsogo.com)
2019-07-04 06:33:21

@Amina Kabeer has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-07-08 13:16:38

Getting a General Error for SCEP issuing a test cert - where can I find the logs on Core?

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-08 13:18:06

*Thread Reply:* Go to System Manager, enable debug logging, click MIFS link to see realtime logs, repeat test in certificate enrollment profile.

MichaelM21 (mike.miller815@yahoo.com)
2019-07-08 13:20:28

*Thread Reply:* Thanks for the fast response.. I will look for it!

MichaelM21 (mike.miller815@yahoo.com)
2019-07-08 13:45:28

*Thread Reply:* Got it... TLS1.0 issue! 😂

👍 Ladislav Blazek
Ajay Patel (ajay5675@msn.com)
2019-07-10 11:56:26

@Ajay Patel has joined the channel

Ajay Patel (ajay5675@msn.com)
2019-07-10 11:58:30

hi im new to the mobileiron world and was hoping you experts could answer a few questions 1) does it support MFA for admin accounts 2) is there a definitive list of what is different between on prem and cloud versions?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-07-10 15:30:55

*Thread Reply:* 2) not really. Its changing too fast. you can compare features in the Roadmap if you have access to it.

Mark Vonk (mark.vonk@dahvo.com)
2019-07-10 15:44:40

*Thread Reply:* 1. Are you on Core or Cloud? At least for Cloud, you can use Azure AD as the user and admin source. You can set up MFA for admin accounts on Azure AD which have access to the Cloud portal.

Mark Vonk (mark.vonk@dahvo.com)
2019-07-10 15:45:53

*Thread Reply:* 2. I have requested such a list many times, but never got it. Assume it is cumbersome as there are many changes between the two. But please request it with your account manager or MI partner, maybe it gets heard.

Andrew Olpin (andy@olpin.us)
2019-07-10 17:56:56

*Thread Reply:* I was a sales engineer at MobileIron, and despite how often we asked, we never got a comparison sheet either. 🙂

Part of it was the monthly MI Cloud releases made it hard to keep up.

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-10 18:06:22

*Thread Reply:* 1) You can federate with your IdP for enrollment authentication/user/admin portal access. Except to that MI Cloud AFAIK supports 2FA via email.

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-10 18:07:52

*Thread Reply:* 2) Functional wise MI cloud and Core are comparable now with new features being prioritized on Cloud. Especially in case of desktop management (W10/macOS).

Jason (jasonh@bridgeway.co.uk)
2019-07-11 09:23:55

*Thread Reply:* Except for APIs, which are wildly different between the two, of course. However, I presume you’re considering which would suit your current or future requirements best?

Mark Vonk (mark.vonk@dahvo.com)
2019-07-11 09:26:48

*Thread Reply:* To be honest, I think it is a messy between Core and Cloud. Some features you expect in Cloud (by nature) come to Core first and vice versa. Working on both is sometimes confusing because you tend to think all features are available on both and you assume it is available.

👍 Jason, Andrew Olpin
Jason (jasonh@bridgeway.co.uk)
2019-07-10 14:42:03

Hi Ajay, welcome to the group. Whereabouts are you from?

Ignc (igncbc@gmail.com)
2019-07-11 09:52:26

Hi guys, I have one question about Sentry behind HA. The picture is I have 2 cores in HA, and 2 Sentrys behind an F5 doing the HA and balancing the requests between sentry1.whatever.com and sentry2.whatever.com in my core. I have both sentrys configured, the problem comes when I need to setup the Tunnel app policy to apply it to the IOS devices. In the list of available servers I see sentry1 and 2, but not the balanced F5 domain to which the devices must attack from the outside, so how do you proceed to solve that? Thanks

Almar Diehl (almar.diehl@blaud.com)
2019-07-11 09:57:55

*Thread Reply:* Hi Ignc, in 1 of the Sentry configurations in Core you need to have the F5 domain (sentry.whatever.com) configured for the Sentry hostname. In the system manager of Core, create a static host record pointing sentry.whatever.com to the ip-address of sentry1.whatever.com.

Ignc (igncbc@gmail.com)
2019-07-11 10:12:24

*Thread Reply:* HI Almar, thanks for your reply, I imagine something like that can be done, but I supposed that a more “elegant” option should be available. It looks more like a workaround than a “clean” solution, because of that I asked 😂. Anyway if it work I can live with that 😁.

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-11 14:21:27

*Thread Reply:* We use the same configuration as @Almar Diehl mentioned. Network load balancer alias is used as sentry name for first node in Admin portal. For all other nodes in the Sentry pool we then add incremental number. So if the NLB alias is sentry.acme.com then the first sentry name is sentry.acme.com, second sentry is sentry2.acme.com, third sentry3… Static host record on Core side will then point sentry.acme.com to first Sentry node instead of NLB.

Bhaskar Chandra (bhaskarchandra89@yahoo.com)
2019-07-11 11:03:07

@Bhaskar Chandra has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-07-11 16:48:04

Does anyone know if Knox Kiosk Mode capabilities have been removed from Core 10.3?

Mark Vonk (mark.vonk@dahvo.com)
2019-07-11 18:42:51

*Thread Reply:* Yes, in favor of AE dedicated device Kiosk mode

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-07-11 21:00:36

*Thread Reply:* And customers who still use Knox Kiosk have to move to AE COSU?

Jason Bayton (jason@bayton.org)
2019-07-12 16:39:38

*Thread Reply:* That’d be ideal…

😂 MichaelM21
Stuart Brown (stuartbrown@google.com)
2019-07-11 18:46:43

@Stuart Brown has joined the channel

Yth (enis_1990_@hotmail.com)
2019-07-16 17:48:59

@Yth has joined the channel

Dana Baker (manager.tablet@us.issworld.com)
2019-07-16 18:47:39

@Dana Baker has joined the channel

Woody (eric.woodland@trust.tc)
2019-07-17 21:45:35

@here Refresh my memory: In Core, if you bulk generate enrollment PINs for devices, that would bypass the per-user device enrollment limit. Correct?

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-26 06:55:21

*Thread Reply:* @Woody that is correct. You can also do this if an Admin request a PIN manually. The limitation is enforced on the BYOD portal which is used by users to request PINs for registering devices.

👍 Woody
Woody (eric.woodland@trust.tc)
2019-08-29 17:07:33

*Thread Reply:* Thanks @Adrian Patrascu! I’d love to find a way to keep this limitation enforced, but exclude DEP enrollments from being subject to it.

Woody (eric.woodland@trust.tc)
2019-08-29 17:08:35

*Thread Reply:* I suppose Core cannot differentiate between what is a DEP-Based enrollment and BYOD enrollment from a generic MDM Request Level

Chad Welch (cwelch@mobileiron.com)
2019-07-18 15:43:41

@Chad Welch has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-07-19 09:16:30

How do I use a CIFS share name with spaces in the name 🙈 within a Docs@Work config? Any break symbols or enter it with the spaces?

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-19 09:40:37

*Thread Reply:* Have you tried URL encoded address?

MichaelM21 (mike.miller815@yahoo.com)
2019-07-19 10:02:19

*Thread Reply:* How do you mean? Which one is that?

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-19 11:40:31

*Thread Reply:* Basically you have URL in your Docs@work config, right? Something like: https://sentryfqdn:445/share/. If you have space in share name then try to use %20 instead of space - something like https://sentryfqdn:445/some%20share/

MichaelM21 (mike.miller815@yahoo.com)
2019-07-19 12:07:49

*Thread Reply:* Gotcha, I will try it! Thank you!

MichaelM21 (mike.miller815@yahoo.com)
2019-07-19 10:34:33

We use an ActiveSync Sentry with Passthrough - Exchange config for iOS native mail. We now need to enable AppTunnel on the same Sentry. Do I modify the existing Exchange config an choose the SCEP for AppTunnel there or is there no impact for ActiveSync after enabling AppTunnel?

Mark Vonk (mark.vonk@dahvo.com)
2019-07-19 10:42:04

*Thread Reply:* Of course there is impact. You are now using Passthrough authentication. This will be disabled and connections will require Cert based auth.

Mark Vonk (mark.vonk@dahvo.com)
2019-07-19 10:42:32

*Thread Reply:* You need to specify a SCEP config in the Exchange config

Mark Vonk (mark.vonk@dahvo.com)
2019-07-19 10:43:15

*Thread Reply:* It will be pushed to all devices: all current mail, contacts and calendar info will be removed. Until the config is updated on the device, the connection to the Sentry will fail

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-07-19 10:45:08

*Thread Reply:* Ok thanks! Clear!

MichaelM21 (mike.miller815@yahoo.com)
2019-07-19 16:36:19

How would you guys troubleshoot wifi issues with Core in general? We leverage cert based auth (NDES / MS PKI) and use it with our wifi. Issue test certificate works within the NDES confi, so a valid user certificate has been issued and was pushed to the device. The wifi config was also applied on the device. This config was never changed - but suddenly the majority of the devices cannot connect anymore. It is a bit of a pain because our NPS is not in our hands and the admin of the NPS always tells us nothing was changed on his side, even though the NPS show „user rejected“ in the logs. So this cannor be related with Core. The only thing what confuses me is: if you re-enroll a device, it works again!? Any pointers?

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-19 16:42:43

@MichaelM21 any chance that the client cert expired? Is the certjob running properly? Usually first thing to check is cert log in Admin portal, device’s cert inventory (iOS). You said that it works after new enrollment so it must be connected to client cert (or some profile corruption on device). In the past there was an known issue when same SCEP config was used for VPN and other services. Basically in case of VPN profile re-push all other profiles using the same SCEP were corrupted on the device (lost relation to certificate). So from that point I always use separate SCEP configs for VPN / WiFi / Exchange.

MichaelM21 (mike.miller815@yahoo.com)
2019-07-23 11:59:27

We have created a new Local CA on Core for Wifi authentication. How can I export the root CA certificate from the local CA WITH private key? We have been told that the Radius server needs the root CA cert with the private key!?

Mark Vonk (mark.vonk@dahvo.com)
2019-07-23 12:05:24

*Thread Reply:* That would not be needed. It only needs the public key

MichaelM21 (mike.miller815@yahoo.com)
2019-07-23 13:39:40

*Thread Reply:* That is what I said, but we receive that on the Radius:

MichaelM21 (mike.miller815@yahoo.com)
2019-07-23 13:39:54

*Thread Reply:*

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-23 15:00:30

*Thread Reply:* Don’t ever share PK of your Root CA to any other system. In the system log I see “….SSL server credential’s certificate…” so I would check radius server cert first.

🙏 MichaelM21, NicolasR
MichaelM21 (mike.miller815@yahoo.com)
2019-07-23 15:49:56

*Thread Reply:* Thank you Ladislav!

MichaelM21 (mike.miller815@yahoo.com)
2019-07-25 16:04:33

*Thread Reply:* @Ladislav Blazek I have read RFC 5216 - The EAP-TLS Authentication Protocol. [...]With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust. The certification authority (CA) that issues the user certificate must also be the CA that issued the server certificate to your NPS server.[...]

That would mean that Core local CA needs to issue a certificate for server authentication with a private key for the NPS. Is that even possible? Issue a certificate with a custom SCEP?

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-26 10:47:28

*Thread Reply:* @MichaelM21 “With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust.“….. This is true. But I don’t think client and server certs must be signed by the same CA.

Ladislav Blazek (ladislav@lblazek.cz)
2019-07-26 10:52:48

*Thread Reply:* Basically on MI side you need to edit your WiFi profile and:

  • add radius server name to “Trusted Certificate Names” field
  • or add CA cert which was used for signing radius server cert to MobileIron and select it “Apply to Certificates” field.

By this you ensure that client will trusts server.

👍 Mark Vonk
Ladislav Blazek (ladislav@lblazek.cz)
2019-07-26 10:53:56

*Thread Reply:* On the server side you need to ensure that server will trust client certs = you need to import MI Core CA cert to Trusted Root CA store

Woody (eric.woodland@trust.tc)
2019-07-23 20:39:30

Apparently BYODPortal is being depreciated (wow, it really is that old). MobileIron recommended using Core’s built-in portal. Is there a policy/config to restrict what platforms, OS versions, and device types can be enrolled at the /Go portal?

👍 Adrian Patrascu, MichaelM21
Almar Diehl (almar.diehl@blaud.com)
2019-07-24 07:54:20

*Thread Reply:* As of Core 10.3 you can configure what the minimum Android version must be for registration of a device. And also the minimum security patch level. Moreover you can create a white- or blacklist of Manufacturers.

Nothing of this all for iOS….

👍 Woody
Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-24 13:04:46

*Thread Reply:* Hi @Woody , Thanks for letting us know this information. Really helpful! Do you have an article to which we can point out? Also is this happening with a particular Core version?

MichaelM21 (mike.miller815@yahoo.com)
2019-07-25 07:04:02

Is there a way to retrieve usage statistics of deployed inhouse apps with Core? Assemble or API calls maybe? Details like how often the app is used by the user

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-25 07:59:48

*Thread Reply:* Hi, I do not believe that the MDM protocol allows for this option. You would need access to something like Screen Time or something similar to which Apple does not allow access. You can know if the app is installed or not, and what version it is running. If you want any details on how often someone access a particular service maybe you should focus on gathering statistics from that particular service, via access loging or something similar. You can use user agent to identify mobile access.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-07-26 09:08:33

*Thread Reply:* If the App uses Tunnel/Appconnect you could check logs how often it triggered.

👍 Adrian Patrascu, MichaelM21
aaron4mobile (aaronleavey@gmail.com)
2019-07-25 16:03:36

Good morning, I am looking for a way to perform a check in / check out type workflow for a stack of loaner iOS devices using Mobileiron. Has anyone done something like this or similar? Thanks!!!😀

Andrew Olpin (andy@olpin.us)
2019-07-25 16:19:37

*Thread Reply:* MobileIron has a webclip called multi user secure sign in that lets you swap the user assigned to the device. It can uninstall / reinstall apps when the sign in occurs.

Keep in mind that this functionality is based on the MI assignments, and may have stuff left behind like Safari passwords, or signed in web sites.

macbentosh (benbergthold@gmail.com)
2019-07-25 22:17:00

our whole data center is going offline tonight. any precautions for MI? Just let it ride out the downtime? Shut it down?

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-26 06:53:36

*Thread Reply:* Hi macbentosh, we do several things before we upgrade a MI Core appliance which might be helpful for this scenario as well.

  1. Perform a snapshot of the VM it is hosted on
  2. Create a backup of MI Core and uploaded it to a safe location, just in case things do not work out as expected
  3. Block network traffic to Core by running a lockdown script
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-07-26 09:11:38

*Thread Reply:* I would recommend a snapshot of it and perform a clean shutdown of the vms before data center.

macbentosh (benbergthold@gmail.com)
2019-07-26 09:17:28

*Thread Reply:* going down now thanks!

macbentosh (benbergthold@gmail.com)
2019-07-26 09:19:48

*Thread Reply:* is there a good shutdown command>

MichaelM21 (mike.miller815@yahoo.com)
2019-07-26 11:56:23

We have enabled the option „automatically update app when new version is available“ for Mobile@Work, but that doesn’t work for every device! We still have users with old versions and there is no automatic updates - how is the process here? Is this related to the iOS setting of the user if automatic app updates are allowed or if the app was converted to managed or not?

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-26 12:04:45

*Thread Reply:* Hi @MichaelM21 are these apps you mention VPP, in-house or Public Apps? Note that the automatic update does not work silently on all type apps. Also the process is a little bit different on Supervised and Un-Supervised devices. If the app is not managed, then the settings are not enforced via MDM.

MichaelM21 (mike.miller815@yahoo.com)
2019-07-26 12:07:59

*Thread Reply:* Hi.. Mobile@Work VPP apps but some devices are still not enrolled as DEP devices, so I can imagine the conversion from unmanaged to managed was not excepted! Can this be checked if the app is managed or unmanaged? Devices are supervised and unsupervised.

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-26 12:10:22

*Thread Reply:* Yes, from what I know Core has an option to do that. The way I do it is select the app, then click on the number of installations, export as csv. In the csv file there is a column with the Managed attribute. I hope this helps.

🙏 MichaelM21
Kiran Patel (kiran@kiranpatel.net)
2019-08-01 04:26:29

*Thread Reply:* You can also chose the option to allow and enforce the app to be managed. Ensure you have the VPP license to be device and not user based as well

👍 MichaelM21, Woody
Kiran Patel (kiran@kiranpatel.net)
2019-08-01 04:26:49

*Thread Reply:* If it’s not supervised it will nag them I think at every device check in

👍 MichaelM21, Adrian Patrascu
MichaelM21 (mike.miller815@yahoo.com)
2019-08-01 09:28:50

*Thread Reply:* Thanks 🙏

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-09-05 11:27:27

*Thread Reply:* Hi @MichaelM21 I received a question from someone today and remembered your post here. Was there any incentive for you to enable this option? I can see we also have many users that are not running the latest 11.1.0 app, that has been release almost 2 months ago. Do you have any concerns with people roaming? As the app is 75MB large.

Pierre_B (pierre.bilong@econocom.com)
2019-07-26 15:29:57

@Pierre_B has joined the channel

John Zmyslowski (John.Zmyslowski@Blackstone.com)
2019-07-30 13:33:53

@John Zmyslowski has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-07-30 15:42:03

MobileIron Core and iOS native mail client - Restriction to block access for unmanaged apps like WhatsApp. We always unticked the option „Allow documents from managed apps to unmanaged app“. This used to work fine. But now there is an additional payload „Allow unmanaged apps to read from managed contacts account“ which was by default checked - and all unmanaged apps had access to the contacts. Now we unchecked it, problem solved. But now it looks like that the dialer is not able to read the contacts because there is no caller-id resolution. Is the dialer treated as an unmanaged app? I doubt that!

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-31 06:40:01

*Thread Reply:* Hi Michael, according to this documentation: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxHZCA0 what you are seeing is not a normal behavior. This should not apply to iOS System apps like the Phone or Messages.

MichaelM21 (mike.miller815@yahoo.com)
2019-07-31 07:25:13

*Thread Reply:* Thats what I thought. Thanks..

MichaelM21 (mike.miller815@yahoo.com)
2019-07-31 07:26:13

Any good ideas for dynamic filter labels on Core to separate between a tablet and a phone? (Android) - I like display size - but that is the resolution, not the actual size of the display

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-07-31 08:38:27

*Thread Reply:* Hi Michael, if you have just Samsung Android tablets, maybe you can do it based on model like this: "common.model" starts with "SM-T" and for other manufactures see if there is a pattern in model that would help.

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-07-31 09:02:13

*Thread Reply:* Good idea, thanks!

Woody (eric.woodland@trust.tc)
2019-08-01 21:07:55

@here Alright, gonna go way back in time here. In terms of deploying a Cert-Based WiFi profile to Android (Device Administrator mode)… there used to be a document for Core that spoke to how you presented the CA trust chain to the device so it would install the certificate to the store, etc.

Woody (eric.woodland@trust.tc)
2019-08-01 21:58:46

Anyone happen to have a link to or copy of that procedure?

Mark Vonk (mark.vonk@dahvo.com)
2019-08-02 20:08:50

*Thread Reply:* Not a link or copy, but I would try the following:

👍 Woody
Mark Vonk (mark.vonk@dahvo.com)
2019-08-02 20:14:31

*Thread Reply:* 1. Create a single file (pem for example) containing all the Radius server, intermediates and root certs. Add it as a Certificate Config.

  1. Reference that in the Wi-Fi config
  2. Type the FQDN of the Radius server in the Trusted Certificate Names field of the WiFi config.
  3. Push the Certificate Config (1) to the device
  4. Push the WiFi config
👍 Woody
Mark Vonk (mark.vonk@dahvo.com)
2019-08-02 20:15:31

*Thread Reply:* Not sure if it will work, sometimes you need something to get it to work

👍 Woody
MichaelM21 (mike.miller815@yahoo.com)
2019-08-07 17:10:57

*Thread Reply:* @Woody - this one? https://community.mobileiron.com/docs/DOC-1934

✅ Woody
Woody (eric.woodland@trust.tc)
2019-08-08 20:12:28

*Thread Reply:* @MichaelM21 - Yeah! Thank you so much for finding that

👍 MichaelM21
Ameri (christopher.ameri94@gmail.com)
2019-08-02 14:27:26

Hello guys,

I have got a question . I need to push on devices a wledp file on device . I think i have to use Android xml configuration .

Do you know some idée how do this action?

Best regards

Ameri (christopher.ameri94@gmail.com)
2019-08-02 14:29:59

Idea sorry

Matt Dermody (jmdermody@gmail.com)
2019-08-02 14:42:42

.wldep is for Ivanti Velocity which I believe for Zebra devices needs to be placed either in /enterprise/usr or /sdcard/Android/data/com.wavelink.velocity

Ameri (christopher.ameri94@gmail.com)
2019-08-02 20:05:54

Yes you’re right . But the only format support by MobileIron is xml. So I don’t any idea for push this format

Matt Dermody (jmdermody@gmail.com)
2019-08-02 20:20:46

Wait, really?

Matt Dermody (jmdermody@gmail.com)
2019-08-02 20:20:54

MobileIron can only push XML files to devices?

Matt Dermody (jmdermody@gmail.com)
2019-08-02 20:21:30

Are these Zebra devices that you’re managing?

Matt Dermody (jmdermody@gmail.com)
2019-08-02 20:21:47

If so can MobileIron support application of Zebra’s MX XML?

Matt Dermody (jmdermody@gmail.com)
2019-08-02 20:22:16

That might be a backup plan if the .wldep file can’t be distributed directly from the EMM, but I would find that kind of embarassing

Matt Dermody (jmdermody@gmail.com)
2019-08-02 20:22:44

to have to send a Zebra MX instruction to tell the device to go retrieve the file from somewhere else like an FTP server

Ameri (christopher.ameri94@gmail.com)
2019-08-03 10:02:40

Yes it’s the goal of this Poc.

The most simple as you said . It’s send instruction to the device in order to get back the files on a files server like a ftp or other technologie

Markus Speicher (mspeicher@mobileiron.com)
2019-08-06 12:48:06

@Markus Speicher has joined the channel

Pavel Noll (pavel_noll@cz.ibm.com)
2019-08-08 12:54:26

@Pavel Noll has joined the channel

AJ (ajorgensen@mobileiron.com)
2019-08-09 02:28:41

@Matt Dermody @Ameri you can create the XML config in stagenow and push it via MI

Udoy (udoy@chatterji.net)
2019-08-09 12:54:50

@Udoy has joined the channel

Markus (markus.boehmler@isec7.com)
2019-08-09 13:12:42

@Markus has joined the channel

BG (bulgunduz@gmail.com)
2019-08-09 19:12:07

@BG has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-08-10 06:34:58

The new Gartner UEM Quadrant was published. MobileIron way behind (SOTI dropped) - share your thoughts on that. Not sure if Gartner is still a serious and impartial source.. 😳🤔 I can already hear customers bashing about this.

Mark Vonk (mark.vonk@dahvo.com)
2019-08-10 08:15:17

I understand Mobileiron dropping a bit. Not sure (do not agree) about the higher position of Citrix and BlackBerry. Microsoft is high up, but I am guessing this is due to Windows 10 feature set primarily.

MichaelM21 (mike.miller815@yahoo.com)
2019-08-10 10:08:47

*Thread Reply:* Why do you understand MobileIron dropping? Just curious..

Mark Vonk (mark.vonk@dahvo.com)
2019-08-10 10:28:59

*Thread Reply:* Product management has been lacking to introduce a lot of new features and product sets. It’s been really slow for about 1.5 years

😳 MichaelM21
AJ (ajorgensen@mobileiron.com)
2019-08-11 02:56:43

*Thread Reply:* Citrix and MS are high up on the back of their legacy tools, which make up for their weakness in the mobility space. They’ve dropped from where they were on the old quadrant on the back of the gaps in that space.

👍 MichaelM21, Adrian Patrascu
Andrew Olpin (andy@olpin.us)
2019-08-13 18:25:24

*Thread Reply:* MobileIron hasn't put the focus they need to on Windows. Also, a bunch of customers are jumping to intune. I think these are really the only two reasons.

👍 MichaelM21
NicolasR (raison_nicolas@me.com)
2019-08-19 21:35:23

*Thread Reply:* Do you really think that if Mobileiron was the best tool to manage Windows 10 a lot of companies would do it with MI?.... I’m not sure. MI is small against MSFT, competing on others platforms is already a challenge, competing with MSFT on Windows is suicide. The new strategy to change the focus to a security company is more realistic Because instead of being in competition Mobileiron will start more and more being a partner of MSFT!

Andrew Olpin (andy@olpin.us)
2019-08-20 16:08:51

*Thread Reply:* Maybe yes, maybe no. I do know a very large MI customer is jumping ship to VMware because they really want to have a single environment to manage all of their endpoints, and VMware does a better job with windows.

And, whether or not you think a company would move, the point is Mobileiron's position in the MQ. The MQ is "unified endpoint management" and Mobileiron is trying more to me "Enterprise mobility management + security", which is they the UEM MQ hasn't treated them well.

Mark Vonk (mark.vonk@dahvo.com)
2019-08-10 08:16:36

As for credibility of Gartner: while I hear a lot of bashing and hints of partiality, I do think the quadrant so far has always been reasonable.

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-10 11:08:42

IBM, BlackBerry, Citrix.... come on. MaaS360 is one big mess.

👍 Phil Hackett, Woody
MichaelM21 (mike.miller815@yahoo.com)
2019-08-10 11:17:38

*Thread Reply:* Exactly what I thought!

Udoy (udoy@chatterji.net)
2019-08-12 17:59:59

*Thread Reply:* Ya Intune is developing fast and as intune is availble for the majority of companies who already starting their transition. Blackberry and MI will stay as strong lead as well till features of both world will be implemented in Intune. But from my point of view intune and MI or Blackberry are not equal so its not clear why MS is so high.

👍 MichaelM21
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-08-12 08:01:06

It depends on the point of view. Since its a UEM quadrant and some have better implementation of (legacy) windows and virtualization it is accurate if you weight this heavily. But if you weight the platforms equal it doesnt fit in my opinion.

👍 MichaelM21
Justin Butts (justin.butts777@gmail.com)
2019-08-12 15:34:48

IBM being that high is pretty wild to me. They're in front of VMWare in completeness of Vision....how? MobileIron dropping that far back is slightly surprising but in line with general attitude toward MI over the past few years IMO.

👍 MichaelM21, Woody
Woody (eric.woodland@trust.tc)
2019-08-12 21:10:53

*Thread Reply:* Agree entirely. VMW has become the most complete offering out there. Sure, it has caveats.. but holistically.. no other on the market is moving at the pace they are.

Woody (eric.woodland@trust.tc)
2019-08-12 21:12:11

*Thread Reply:* MobileIron is still solid, they just aren’t innovating at the rate they used to. I understand a drop, but that is pretty drastic.

MichaelM21 (mike.miller815@yahoo.com)
2019-08-13 05:17:31

*Thread Reply:* MobileIron is already celebrating... 😳🙈

Woody (eric.woodland@trust.tc)
2019-08-14 20:39:21

*Thread Reply:* Yeah - I saw that as well. As a former employee, I want what’s best for them… but they really need to light a flame under their arse and get back at it

👍 Justin Butts
macbentosh (benbergthold@gmail.com)
2019-08-12 18:32:24

@here is there a way to see when the MI app was opened on an iOS device? I have a deployer who swears that they launched it within the 4hr enrollment window but it did not.

kvam (akunduri@vmware.com)
2019-08-12 19:24:55

@kvam has joined the channel

Woody (eric.woodland@trust.tc)
2019-08-12 20:56:54

Last Opened/Last Connected are going to be two different things @macbentosh. Though the app usually seems to check-in when opened… so there may be some truth there

Woody (eric.woodland@trust.tc)
2019-08-12 20:57:19
Woody (eric.woodland@trust.tc)
2019-08-12 20:57:49

but to answer your question, no.. there is no definitive way to know when the app was actually last opened from an iOS perspective

Woody (eric.woodland@trust.tc)
2019-08-12 21:00:59

Curious - I know it’s getting old, but has anyone here spun-up and used a MobileIron BYODPortal tenant lately? They’re pushing to use the functionality that’s built into Core, but it really isn’t on-par with that BYODPortal provides.

Kiran Patel (kiran@kiranpatel.net)
2019-08-12 21:23:51

the last checked in there also isn't accureate at all

Kiran Patel (kiran@kiranpatel.net)
2019-08-12 21:24:02

that's the last time the app was launched... not when it actually checked into MI Core

Kiran Patel (kiran@kiranpatel.net)
2019-08-12 21:24:17

put the device in airplane mode and launch the app

Kiran Patel (kiran@kiranpatel.net)
2019-08-12 21:24:34

i miss the 2 green check marks and actual connectivity check it did to core... we used to rely on that through network changes

Woody (eric.woodland@trust.tc)
2019-08-12 21:30:21

Well, I was getting at “Client Last Check-In”

Woody (eric.woodland@trust.tc)
2019-08-12 21:30:27
Woody (eric.woodland@trust.tc)
2019-08-12 21:31:14

Well, if that’s the case… I think that’s actually what @macbentosh was looking for @Kiran Patel

macbentosh (benbergthold@gmail.com)
2019-08-14 16:51:03

Anyone @here know why in core update OS software comes back blank when selecting more than 1 device?

mahiroux (mhyb.mk@gmail.com)
2019-08-15 04:42:48

Has anyone facing issue opening attachments on iOS 13.0 Beta.For me,attachments open native viewer however not able to open in with third party apps.

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-08-15 05:53:28

@mahiroux isn't that something for the #ios_betas channel?

mahiroux (mhyb.mk@gmail.com)
2019-08-15 05:59:26

@Marc van der Kooy reposted in this channel as i am testing this functionality with Mobileiron MDM.I was hoping to get an answer here in case if this issue is known to any mobileiron MDM experts.

Mark Vonk (mark.vonk@dahvo.com)
2019-08-15 06:40:28

*Thread Reply:* Multiple known issues regarding attachments. Check the iOS 13 guidance: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000fyP2SAI

Almar Diehl (almar.diehl@blaud.com)
2019-08-20 10:15:32

Hi, anyone ever tried to enroll a W10 laptop that does not have internet access? The customer wants to use W10 laptops without giving the laptops access to internet. The laptop only has access to the Core server. When registering the laptop a device entry is created on the Core server but the status remains Verified. All configurations remain pending.

When trying a Sync it times out with a connection error. Checking the firewall we see that the laptop is trying to connect to several internet sites. Why is it connecting to internet? It seems to try an download Apps@Work? Why and can we prevent this?

Mark Vonk (mark.vonk@dahvo.com)
2019-08-20 10:20:36

You need a WNS channel on the Windows 10 client to use MDM and push configs, etc.

Almar Diehl (almar.diehl@blaud.com)
2019-08-20 10:26:20

*Thread Reply:* Thanks a zillion Mark….!!

macbentosh (benbergthold@gmail.com)
2019-08-20 21:15:45

Anyone @here know if you can install the ivanti inventory agent on a MI server? Core or Sentry?

Mark Vonk (mark.vonk@dahvo.com)
2019-08-20 21:19:47

*Thread Reply:* You asked the same question on July 2nd…

Andrew Olpin (andy@olpin.us)
2019-08-20 21:47:32

*Thread Reply:* And, no, you can't.

macbentosh (benbergthold@gmail.com)
2019-08-21 21:20:34

What is the trick to allow a user to upload files with docs@work. Don’t have access to the guide right now

NicolasR (raison_nicolas@me.com)
2019-08-22 10:37:24

*Thread Reply:* If the shares are “published site” they will be read only, uncheck the check box to have this capability

NicolasR (raison_nicolas@me.com)
2019-08-22 10:37:38

*Thread Reply:* also there are KVP allowing to block doc upload

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-08-22 11:02:42

Hi guys, I upgraded my Pixel 3 to Android Q today and I was surprised to see I cannot enroll it in MobileIron Core. It seems this is a known issue with MobileIron Core. Thought this would be a good piece of information to share. The issue will be fixed in Mobile@Work 10.4, which is not yet released. The reason is: Android Permission Controller crashes. Full article is available here for who is interested: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TNVgSAO

I hope this helps!

👍 Jason Bayton, MichaelM21
Almar Diehl (almar.diehl@blaud.com)
2019-08-22 12:02:49

*Thread Reply:* Have you tested the M@W 10.4 beta?

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-08-22 12:08:18

*Thread Reply:* Hi Almar, not yet. I have asked for this beta version and will test it once I receive. I expect this to work with M@W 10.4 beta. I will keep you posted once I receive it and check it out.

Almar Diehl (almar.diehl@blaud.com)
2019-08-22 12:11:05

*Thread Reply:* You can test the beta version by opening the PlayStore, select the M@W app and click the option that you want to become a beta tester for this app. After doing this you can upgrade the app to the beta version.

👍 Adrian Patrascu, MichaelM21
Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-08-22 12:24:19

*Thread Reply:* It works, although I still see the app crashing, after a few seconds it automatically re-launches the process from where it left off. I believe there are still a few tweeks to be made here, but it works 🙂! Thank you Almar for sharing this information very helpful!

Jason Bayton (jason@bayton.org)
2019-08-22 11:04:18

I noticed it failed to enrol in beta1 and pinged the PM. Surprised it’s taking so long to get a fix out!

MichaelM21 (mike.miller815@yahoo.com)
2019-08-22 12:08:08

We use Kerberos Constrained Delegation with MobileIron Sentry. After we change the UPN for a user account and we remove the user cert so the UPN gets updated, the sync work with iOS Email+ devices, but not for Android Enterprise Email+. Any ideas? If we change the UPN back to the old one, AE devices are able to sync again.

Almar Diehl (almar.diehl@blaud.com)
2019-08-22 12:09:44

*Thread Reply:* If I remember correctly you will need to push the Email+ client to the device(s) again since the certificate is part of the configuration.

MichaelM21 (mike.miller815@yahoo.com)
2019-08-22 14:41:02

*Thread Reply:* Almar 007 strikes again.. thanks! 👍:skintone2:

Almar Diehl (almar.diehl@blaud.com)
2019-08-22 14:48:18

*Thread Reply:* 🤣

Nick (nickdiaz@gmail.com)
2019-08-23 13:27:17

*Thread Reply:* Curious how you’re going about removing the user cert so the UPN gets updated? I’m finding that in a similar situation using KCD where the UPN is changed in ADLDS, iOS SCEPs automatically refresh, but SCEPs inside a Knox container do not. I’ve been looking for a way to trigger the refresh of that SCEP, or worst case, somehow script the deletion of the user cert so that it will refresh at next device check-in.

MichaelM21 (mike.miller815@yahoo.com)
2019-08-23 19:01:53

*Thread Reply:* @Nick you can remove the cert via Core Admin Portal (Certificate Management tab) and an new cert gets issued and deployed to the device automatically

Nick (nickdiaz@gmail.com)
2019-08-23 19:03:26

*Thread Reply:* Agreed, @MichaelM21, and that's a worst case fallback. But in my particular case, the UPN of tens of thousands of users is changed on a rolling basis.

MichaelM21 (mike.miller815@yahoo.com)
2019-08-23 20:11:45

*Thread Reply:* Oh in that case I agree, thats no option for you 🤮 Any possibilities with Assemble?

MichaelM21 (mike.miller815@yahoo.com)
2019-08-22 16:50:50

Anyone using or looked into using MobileIron Access SSO with Cisco Jabber?

NicolasR (raison_nicolas@me.com)
2019-08-22 17:25:37

*Thread Reply:* Tunnel v3.x doesn’t support UDP packets Tunnel v4.x currently beta, soon release will support split UDP so your Jabber server must allow UDP from internet

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-08-22 19:30:53

*Thread Reply:* Ah yes, we talked about that. Thanks for reminding me. 👍:skintone2:🍻

MichaelM21 (mike.miller815@yahoo.com)
2019-08-22 19:42:05

*Thread Reply:* Can we use Access As A Service with PingFederate as Delegated IdP though or is there a drawback?

NicolasR (raison_nicolas@me.com)
2019-08-22 19:58:15

*Thread Reply:* You can

NicolasR (raison_nicolas@me.com)
2019-08-22 19:58:22

*Thread Reply:* It works fine

👍 MichaelM21
mahiroux (mhyb.mk@gmail.com)
2019-08-23 18:26:55

*Thread Reply:* @MichaelM21 I am also looking for some guidance for deploying SSO for jabber via access.Are you using jabber MRA deployment?

MichaelM21 (mike.miller815@yahoo.com)
2019-08-23 18:59:23

*Thread Reply:* @mahiroux yes, we also use an expressway. Our users have only smartcards so they don’t know any passwords. We are looking into cert based or SAML

mahiroux (mhyb.mk@gmail.com)
2019-09-05 12:06:07

*Thread Reply:* @MichaelM21 Did you manage to deploy SSO for jabber MRA?

MichaelM21 (mike.miller815@yahoo.com)
2019-09-05 14:51:36

*Thread Reply:* Unfortunately we didn’t start yet. How about you? I have read on another thread here that it is not clear that Cisco supports Tunnel at all.. @NicolasR do you guys have any customers with Jabber and Tunnel?

mahiroux (mhyb.mk@gmail.com)
2019-09-05 15:24:13

*Thread Reply:* @Michael Not yet.As per our corporate policy,we had to make sure all the calls are recorded.We have achieved this very recently with our existing recording solution.Now the management has given the green signal to go ahead with production deployment.Do you prefer SSO over CBA?

MichaelM21 (mike.miller815@yahoo.com)
2019-09-18 11:36:54

*Thread Reply:* @NicolasR do you have any documents how to configure the delegated IdP Pair in the Access Admin Portal for Ping and Cisco Jabber SSO? I have the document for O365/PingFederate, but not sure how to setup the same for Jabber..

J kruit (j.kruit@partner.samsung.com)
2019-08-23 09:11:07

Does MI Cloud has the option to configure battery optimization for android apart from using ksp for samsung devices?

Jason Bayton (jason@bayton.org)
2019-08-23 09:11:23

*Thread Reply:* No

J kruit (j.kruit@partner.samsung.com)
2019-08-23 09:11:41

*Thread Reply:* Bummer

Jason Bayton (jason@bayton.org)
2019-08-23 09:12:19

*Thread Reply:* Ask your OEM to support it with OEMConfig, it's not an AE API

J kruit (j.kruit@partner.samsung.com)
2019-08-23 09:15:10

*Thread Reply:* Fortunately it is for Samsung devices so ksp can be used but mostlikely extra license is needed

Jason Bayton (jason@bayton.org)
2019-08-23 09:33:31

*Thread Reply:* I wouldn't immediately assume so. There's a mix of both free and licensed in KSP

Daniel Vodrážka (dvodrazka@system4u.com)
2019-08-27 10:59:39

@Daniel Vodrážka has joined the channel

Ajay Patel (ajay5675@msn.com)
2019-08-28 11:02:20

does anyone on here know how i can get access to a trial/demo version of MI? It's the only UEM i've never really had any exposure too, however something we come across a lot with our customers that we cannot support as we've never seen it/used it. I put my details down for the free trial on their website but nobody ever gets back to me.

Kiran Patel (kiran@kiranpatel.net)
2019-08-28 12:36:43

@Ajay Patel did you do this on their partner site?

Ajay Patel (ajay5675@msn.com)
2019-08-28 12:37:13

no just their standard site as we are not a partner

Mark Vonk (mark.vonk@dahvo.com)
2019-08-28 12:37:28

What region are you in Ajay>

Mark Vonk (mark.vonk@dahvo.com)
2019-08-28 12:37:30

?

Ajay Patel (ajay5675@msn.com)
2019-08-28 12:38:50

UK - EMEA

Kiran Patel (kiran@kiranpatel.net)
2019-08-28 12:39:21

Anyone here upgrade prod to Core 10.4? We found some interesting bugs so curious how others worked around them. 1) could re-push managed apps set to repush 2) apps@work icon reverts. We can change it but tomcat restart reverts it 3) loses connectivity with sentry but they have a hotfix for this

Cc @John Zmyslowski in case I’m missing anything

NicolasR (raison_nicolas@me.com)
2019-08-28 15:03:14

*Thread Reply:* For the apps@work icon we have the same issue on CLOUD R64. Fixed in R64.3

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-08-29 13:11:42

*Thread Reply:* I can confirm 2 and 3.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-08-29 13:12:04

*Thread Reply:* it will be fixed in 10.4.1

John Zmyslowski (John.Zmyslowski@Blackstone.com)
2019-08-29 13:12:58

*Thread Reply:* Anyone have an ETA for release?

Woody (eric.woodland@trust.tc)
2019-08-28 15:59:36

@here Trying to remember - If I check the AE box, will the app also remain available for legacy devices running Device Administrator?

MichaelM21 (mike.miller815@yahoo.com)
2019-08-28 17:24:37

*Thread Reply:* Yes

Woody (eric.woodland@trust.tc)
2019-08-29 15:39:09

*Thread Reply:* Thanks @MichaelM21! I tested it with a new app and observed the same (while waiting for a response).

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-08-28 17:25:21

Is there a way to change the name of an iOS device with MobileIron Core?

Almar Diehl (almar.diehl@blaud.com)
2019-08-28 20:53:07

*Thread Reply:* No unfortunately not.

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-08-29 06:39:24

*Thread Reply:* Thanks Almar

MichaelM21 (mike.miller815@yahoo.com)
2019-08-29 06:43:23

Will there be zero day support for iPadOS with MobileIron Core? Are there any details yet what the main difference will be with iPadOS?

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 07:57:26

*Thread Reply:* I am not aware of any differences between iOS and iPadOS in regards to MDM api/functionality. So it is still pretty much iOS. Everything works fine on my iPad with iPadOS 13.1 beta.

MichaelM21 (mike.miller815@yahoo.com)
2019-08-29 08:30:58

*Thread Reply:* Great, good to know! Thanks Ladislav!

mahiroux (mhyb.mk@gmail.com)
2019-08-29 09:15:33

*Thread Reply:* @Ladislav Blazek Have you noticed any issues ‘open in’ attachments with managed apps.I am not able to open attachments from mail apps with managed apps.Open in function works the moment i remove mobileiron from device.

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 09:34:09

*Thread Reply:* @mahiroux Will check. What are your managed open-in settings in Restrictions config?

mahiroux (mhyb.mk@gmail.com)
2019-08-29 09:47:49

*Thread Reply:* Both managed to unmanaged and unmanaged to managed unselected.

mahiroux (mhyb.mk@gmail.com)
2019-08-29 09:48:57

*Thread Reply:* In our prod environment,unmanaged to manage is enabled,however same issue is noticed.

Almar Diehl (almar.diehl@blaud.com)
2019-08-29 11:00:30

*Thread Reply:* There will be no zero day support for some new features. F.i. user enrollment will be supported in a Core upgrade planned for the end of the year (according to MobileIron).

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 11:33:45

*Thread Reply:* @Almar Diehl yes, I hope that MI will implement (at least some) new features fast. WMware already announced support for some new features like selective sync of Mail/Calendar/Contacts in Exchange payload in WSO UEM version 1908

👍 Woody
Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 11:48:39

*Thread Reply:* @mahiroux Do you see managed apps in Share dialog or not?

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 12:00:43

*Thread Reply:* I am testing now managed open-in functionality on my iPad running iPadOS 13.1 beta (currently enrolled in WSO). I see the managed apps in share dialog but when I tap the app to open document nothing happens. Looks like it is seriously broken in iOS/iPadOS 13.?… Anyone else can confirm? #ios_betas

mahiroux (mhyb.mk@gmail.com)
2019-08-29 12:02:17

*Thread Reply:* I can see them however it doesn’t open attachments. When i enable select both restriction configs,Managed to Unmanaged and Unmanaged to Manage,open in is working however that breaks our DLP controls.

👍 Ladislav Blazek
Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 12:04:19

*Thread Reply:* @mahiroux of course. I see the same behaviour on my device managed by WMware WSO. What is the iOS version you are testing on? 13.1 or 13.0 beta?

mahiroux (mhyb.mk@gmail.com)
2019-08-29 12:09:40

*Thread Reply:* I have been testing this for Beta 6 to 13.1 with the same result.

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 12:13:40

*Thread Reply:* I have not noticed this bug in previous betas…. good finding. Thanks!

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-08-29 13:31:15

*Thread Reply:* I see similar on my iOS 13 Beta6 not able to open attachments in a managed app, but I remember I was able to do this in the past. Has something maybe changed in this new Beta 6?

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 13:49:06

*Thread Reply:* Don’t know… I just submitted issue via Feedback Assistant to Apple. FB7153828

👍 MichaelM21
Woody (eric.woodland@trust.tc)
2019-08-29 15:41:41

*Thread Reply:* @Ladislav Blazek “selective sync of Mail/Calendar/Contacts in Exchange payload” - I think I’ve been waiting on this for half a decade. Nice to see it finally coming to life!

Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 16:56:06

*Thread Reply:* @Woody yeah, finally solution for customers using Email+/Boxer on iOS and struggling with contact sync.

👍 Sean
Woody (eric.woodland@trust.tc)
2019-08-29 17:47:02

*Thread Reply:* @Ladislav Blazek this is what you were referring to, right?

👍 MichaelM21
Woody (eric.woodland@trust.tc)
2019-08-29 17:48:37

*Thread Reply:* This would have been super useful back when we were pushing calendars to Administrative Assistants

Woody (eric.woodland@trust.tc)
2019-08-29 17:49:05

*Thread Reply:* @Jonathan Henson @japple In case you guys are still doing some of that ^^^

🔥 Jonathan Henson
Ladislav Blazek (ladislav@lblazek.cz)
2019-08-29 17:51:58

*Thread Reply:* Yes, exactly, calendar only is another use case.

👍 Woody
NicolasR (raison_nicolas@me.com)
2019-08-29 19:58:02

*Thread Reply:* It’s like this since the first release of iOS 13 beta.

👍 MichaelM21
NicolasR (raison_nicolas@me.com)
2019-08-29 19:58:06

*Thread Reply:* Still in 13.1

NicolasR (raison_nicolas@me.com)
2019-08-29 20:33:47

*Thread Reply:* By the way iOS 13.0 will require one of these:

  • Core 10.2.0.2
  • Core 10.3.0.2
  • Core 10.4.0.1 Silent APNs and iOS pin registration issues
👍 Woody, MichaelM21, mahiroux, Adrian Patrascu, macbentosh
MichaelM21 (mike.miller815@yahoo.com)
2019-08-30 12:07:14

*Thread Reply:* Awesome Thread!!👍:skintone2:

MichaelM21 (mike.miller815@yahoo.com)
2019-08-29 12:49:46

Anyone familiar with the ErrorCode 12040 for Install Managed Application on MobileIron Core? We use Apple VPP (Device License is used), but sometimes users get promptes for an Apple-ID. In this case for Mobile@Work or Docs@Work.. Only some apps with certain devices have this issue.. UPDATE: damn, sounds like this: https://help.mobileiron.com/s/feed/0D53400004dlVD1CAM

Is there any impact for existing devices if I revoke all licenses?

macbentosh (benbergthold@gmail.com)
2019-08-29 16:46:39

@here anyone know of where I can find good mobileiron flowcharts? looking on the help page now but their search is not working as I would like it

macbentosh (benbergthold@gmail.com)
2019-08-29 16:46:55

looking more of a flow as to how email flows

Justin Butts (justin.butts777@gmail.com)
2019-08-29 16:48:51

how email flows?

Justin Butts (justin.butts777@gmail.com)
2019-08-29 16:48:59

are you using secure mail and SEGs?

macbentosh (benbergthold@gmail.com)
2019-08-29 16:50:51

kerb and sentry with core

Justin Butts (justin.butts777@gmail.com)
2019-08-29 16:53:43

woops

Justin Butts (justin.butts777@gmail.com)
2019-08-29 16:53:48
macbentosh (benbergthold@gmail.com)
2019-08-29 16:54:11

cool thanks

Justin Butts (justin.butts777@gmail.com)
2019-08-29 16:55:26

yeah I think it was the 1st image result when I googled "MobileIron Sentry Map"

👍 Woody
Almar Diehl (almar.diehl@blaud.com)
2019-08-30 08:22:20

Anyone successfully configured Cisco Jabber Android Enterprise (Chat) using MobileIron Tunnel? I first of all get a SSL error (showing the correct certificate) and when I trust the certificate (which I should not need to do) I get a server not found. In the logs I see a 200 OK connected to server.

In the Jabber configuration there is a KVP ‘Third Party VPN’ with 2 possible values, being: 0 - do not support non-Cisco VPN 1 - Android native VPN

Could this mean that MI Tunnel is not supported at all?

MichaelM21 (mike.miller815@yahoo.com)
2019-08-30 12:08:42

*Thread Reply:* Very good question. I am also interested in this, but I haven’t started the implementation yet.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-08-30 14:33:01

*Thread Reply:* Haven't done it yet, but Tunnel uses the native Android Enterprise VPN, or? Which certificate are you asked to trust? Sentry or jabber server? Is Jabber UDP or TCP?

Almar Diehl (almar.diehl@blaud.com)
2019-08-30 14:43:38

*Thread Reply:* Hi Wolfgang, it is askings to trust the SSL certificate of the Jabber server. But your question about UDP or TCP triggered me. I think Jabber by default connects over TCP port 5222 for XMPP.

JF Rigot (jr@mob.co)
2019-09-03 08:49:20

*Thread Reply:* https://ccieme.wordpress.com/2017/01/23/cisco-jabber-port-usage/

CCIEME
} drbabbers (https://ccieme.wordpress.com/author/drbabbers/)
👍 Almar Diehl, mahiroux
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-03 11:53:42

*Thread Reply:* is the certificate from the Jabber server an internal one? maybe trust the CA on device side.

👍 AJ
MichaelM21 (mike.miller815@yahoo.com)
2019-09-05 14:48:20

*Thread Reply:* Any new findings on this?

Almar Diehl (almar.diehl@blaud.com)
2019-09-05 14:59:02

*Thread Reply:* Well yeah, seems to be a firewall issue. Trying to get this solved.

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-09-05 15:33:26

*Thread Reply:* So all UDP relevant traffic must be reachable from the internet before Tunnel 4.0 hits.. Was that task clear how to publish all relevant UDP services?

Nicolas SEVERE (nicolas.severe@orange.com)
2019-08-30 14:57:38

@Nicolas SEVERE has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 15:09:47

Is there a timeline for Core 10.4.0.1 (or 10.4.0.2, not sure which one is the next) which fixes the issues in 10.4.0.0 and supports iOS 13?

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-09-03 15:14:46

*Thread Reply:* 10.3.0.2 is already available with the compatibility support for iOS 13 devices, in case you have not migrated to 10.4.0.0 already

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 15:38:53

*Thread Reply:* Good point thanks. But I believe the publishing of private apps for Android Enterprise without a developer account is only available from 10.4. I don‘t see the iFrame integration with 10.3.0.0

NicolasR (raison_nicolas@me.com)
2019-09-03 16:30:37

*Thread Reply:* Moved to 9/4/2019

Kiran Patel (kiran@kiranpatel.net)
2019-09-03 17:19:21

*Thread Reply:* @NicolasR what is coming out on 9/4?

Kiran Patel (kiran@kiranpatel.net)
2019-09-03 17:19:42

*Thread Reply:* We've been holding on 10.4 due to a few bugs we found

NicolasR (raison_nicolas@me.com)
2019-09-03 17:20:24

*Thread Reply:* 10.4.0.1 planned for tomorrow

👍 MichaelM21, Kiran Patel
Kiran Patel (kiran@kiranpatel.net)
2019-09-03 21:50:45

*Thread Reply:* Awesome, what's fixed in it? 😄

NicolasR (raison_nicolas@me.com)
2019-09-03 23:54:18

*Thread Reply:* Mostly iOS/iPadOS 13 stuff, but also the issue that occurred with 10.4.0.0 and sentry sync

MichaelM21 (mike.miller815@yahoo.com)
2019-09-04 13:29:55

*Thread Reply:* 10.4.0.1 is available - safe to install?

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 15:13:20

This week, i believe tonight actually

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 19:21:25

We have 4 admins on Core 10.3.0.0 - everyone is in the same space and has the same permissions. But only one admin can be chosen within an Event Setting (like System Event) for CC to Admins, the other 3 admins do not show up there. Any ideas why?

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 19:26:18

*Thread Reply:* Do they, the other admins, have a device registered?

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 19:27:31

*Thread Reply:* Events only work for users/admins with a registered device… (was dumb 5 years ago, still so unfortunately. Admins do not have a registered device normally)

Almar Diehl (almar.diehl@blaud.com)
2019-09-03 19:34:23

*Thread Reply:* As Mark says, very annoying. As a workaround I just create a device registration for the admin but don't actually configure a device, just leave it pending.

👍 Mark Vonk
MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:22:53

*Thread Reply:* What, really? No, no admin has devices, even not the one who can be chosen. But I remember we had a thread in here where someone explained that events work with local user where the email address of that local user can be a distribution list. That local user has no device and I am 95% sure that events are getting delivered. I gotta find the thread.

NicolasR (raison_nicolas@me.com)
2019-09-03 20:28:34

*Thread Reply:* This workaround is no more actual for years now!! Look if the admin exists on the users list if not, import them here

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:29:51

*Thread Reply:* @NicolasR in the event you mean? Why would they not appear in the admin area if they are admins?

NicolasR (raison_nicolas@me.com)
2019-09-03 20:30:25

*Thread Reply:* Admins are user objects with admin permissions

NicolasR (raison_nicolas@me.com)
2019-09-03 20:30:54

*Thread Reply:* So regular admin should be in users list

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 20:33:55

*Thread Reply:* @NicolasR I am not sure what you mean. But in any case: for System events, you can only select “admins” when they have a device registered or a device registration. Admins without a device or registration will not be shown regardless

NicolasR (raison_nicolas@me.com)
2019-09-03 20:34:15

*Thread Reply:* Not anymore ;-)

NicolasR (raison_nicolas@me.com)
2019-09-03 20:34:25

*Thread Reply:* Since Core 9.x or around

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:34:35

*Thread Reply:* If I look under Devices & Users / Users they don’t show up under Authorized Users.. most probably because they have not logged on yet (they are ldap accounts).. I can search for the via LDAP entities. @Mark Vonk the one which can be chosen has also no device registered and I can select him

NicolasR (raison_nicolas@me.com)
2019-09-03 20:35:03

*Thread Reply:* That’s your issue I think

NicolasR (raison_nicolas@me.com)
2019-09-03 20:35:27

*Thread Reply:* Admin here looks for any user in the database. Not only users with admin permissions

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:35:46

*Thread Reply:* But not sure how I can solve it..

NicolasR (raison_nicolas@me.com)
2019-09-03 20:36:05

*Thread Reply:* Add them manually in the authorized entities list

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:36:34

*Thread Reply:* I can only add local users there

NicolasR (raison_nicolas@me.com)
2019-09-03 20:36:58

*Thread Reply:* No, you can add users but UX sucks...

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:37:21

*Thread Reply:* 😂😂 I see no button for this

NicolasR (raison_nicolas@me.com)
2019-09-03 20:37:41

*Thread Reply:* There is no Add+ button 😂🤯

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 20:37:59

*Thread Reply:* Ok. so I have a local user. It is shown in the authorized user list, but I can’t select it. It does not have a device or device registration. Identical user, in authorized, with a device: can add it to the Event admins

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:38:42

*Thread Reply:* @NicolasR and how should I add it then? Via CLI?

NicolasR (raison_nicolas@me.com)
2019-09-03 20:39:13

*Thread Reply:* Nope, select the drop down LDAP entities

NicolasR (raison_nicolas@me.com)
2019-09-03 20:39:22

*Thread Reply:* Select users

NicolasR (raison_nicolas@me.com)
2019-09-03 20:39:32

*Thread Reply:* Search for them and add them user portal role

NicolasR (raison_nicolas@me.com)
2019-09-03 20:39:41

*Thread Reply:* (After you can remove it)

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:39:57

*Thread Reply:* @Mark Vonk same here. I have created a local user, and I can select the local user in the event. What core version are you on? 10.3.0.0 here

NicolasR (raison_nicolas@me.com)
2019-09-03 20:40:13

*Thread Reply:* As soon you do this they will show in the authorized entities

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:40:51

*Thread Reply:* That user has user portal already

NicolasR (raison_nicolas@me.com)
2019-09-03 20:41:01

*Thread Reply:* Hum

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 20:41:02

*Thread Reply:* You can use the account to log on once (for ex. on the Admin portal) and it will show up under authorized users. But I am still not sure this solves it. As said before, I can’t search for and/or select any account without a device registration or device. I am on 10.4

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:41:24

*Thread Reply:* Weird 🤯

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:45:22

*Thread Reply:* My local user has also never logged on and still shows up as authorized. Giving up for today

NicolasR (raison_nicolas@me.com)
2019-09-03 20:45:34
NicolasR (raison_nicolas@me.com)
2019-09-03 20:45:52

*Thread Reply:* @Mark Vonk did you selected sms or push as delivery method to admins?

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 20:48:36

*Thread Reply:* No, but changed it. No diifference. Can search for and select user1 (has a device). User2 (without device) can’t be found or selected

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:48:36

*Thread Reply:* @NicolasR I have the same setup and this also works for me. But not for the ldap admins

NicolasR (raison_nicolas@me.com)
2019-09-03 20:49:04

*Thread Reply:* Let me import ldap one...

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 20:49:10

*Thread Reply:* both user1 and user2 are local users for me

Mark Vonk (mark.vonk@dahvo.com)
2019-09-03 20:49:51

*Thread Reply:* Identical users except for the UserID. And user1 has a device

MichaelM21 (mike.miller815@yahoo.com)
2019-09-03 20:50:15

*Thread Reply:* Also did a short test.. local user with distribution list email added to a system event. Shut down Sentry. Under Logs/Events I see Sentry not reachable - status dispatched.. can’t check at the moment if it was really delivered

Luc (luc.rames@digitaldimension.fr)
2019-09-04 13:48:08

Hi Have you noticed an automatic launch of the Mobile@work version 10.4 application in Android Enterprise mode COPE

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-04 13:50:07

*Thread Reply:* Yeah… and since that time we are fighting with constant notifications in M@W with message “Device in compliance”. Already created ticket on MI support portal.

Luc (luc.rames@digitaldimension.fr)
2019-09-04 13:52:09

*Thread Reply:* Ok i will open a new ticket to enforce your case

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-04 13:56:56

*Thread Reply:* Do you see the same issue @Luc

👍 Ladislav Blazek
Luc (luc.rames@digitaldimension.fr)
2019-09-04 13:57:00

*Thread Reply:* yep

Luc (luc.rames@digitaldimension.fr)
2019-09-04 14:18:31

*Thread Reply:* it s happen on android 9 and 10 other i d’ont know and in mode COPE and BYOD

NicolasR (raison_nicolas@me.com)
2019-09-04 14:34:57

*Thread Reply:* Android 10 it’s as per design

NicolasR (raison_nicolas@me.com)
2019-09-04 14:35:02

*Thread Reply:* Android 9 not expected

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-04 14:36:31

*Thread Reply:* @NicolasR What you mean by “Android 10 it’s as per design”? Users are getting that message like every 2-3 mins…

NicolasR (raison_nicolas@me.com)
2019-09-04 15:05:44

*Thread Reply:* @Ladislav Blazek https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TOVUSA4 “MobileIron Clients (Mobile@Work & Go) will not be auto launched after Android Enterprise profile is setup due to changes in behavior in Android 10. The user will be informed through a notification, and the user will need to restart the profile app from the launcher icon or through the notification.”

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-04 15:11:59

*Thread Reply:* Thanks @NicolasR. My issue is right now on Android 9. Users are bombarded by notification every 2-3 mins, M@W is running. Not able to verify behaviour on Android 10… but as far I understand this should happen only in case M@W is killed/not started, right?

NicolasR (raison_nicolas@me.com)
2019-09-04 15:12:26

*Thread Reply:* We had that with SAM 8.5... probably the same issue

NicolasR (raison_nicolas@me.com)
2019-09-04 16:15:12

*Thread Reply:* You’re not the only one @Ladislav Blazek A customer reports it also

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-04 16:17:17

*Thread Reply:* I know. Thanks @NicolasR

Luc (luc.rames@digitaldimension.fr)
2019-09-06 15:37:31

*Thread Reply:* hi ladislav could you give me your case number to refer it

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-06 15:39:35

*Thread Reply:* @Luc 00481343

Luc (luc.rames@digitaldimension.fr)
2019-09-06 15:39:55

*Thread Reply:* thanks

Luc (luc.rames@digitaldimension.fr)
2019-09-06 15:40:07

*Thread Reply:* i will refer your case also in my case

Luc (luc.rames@digitaldimension.fr)
2019-09-12 19:11:42

*Thread Reply:* so i hear that it will fix in next version mobile@work in 10.4.0.1

Luc (luc.rames@digitaldimension.fr)
2019-09-12 19:12:19

*Thread Reply:* any idae when it will be deploy on google play

Luc (luc.rames@digitaldimension.fr)
2019-09-12 19:12:30

*Thread Reply:* @NicolasR ?

NicolasR (raison_nicolas@me.com)
2019-09-12 19:15:34

*Thread Reply:* Not yet date found on Jira

Luc (luc.rames@digitaldimension.fr)
2019-09-20 10:55:05

*Thread Reply:* next week the version 10.4.0.1 beta will be deployed, and normally this version will fix this issue i will give you some feedback when i have tested

Ondrej Zerzanek (ozerzanek@system4u.com)
2019-09-04 14:11:11

@Ondrej Zerzanek has joined the channel

John Zmyslowski (John.Zmyslowski@Blackstone.com)
2019-09-04 14:38:04

Has anyone run into the issue where apps that are configured to push upon registration are re-pushed after upgrading to 10.2.0.0 or later? Anyone aware of what version this will be fixed? Seems like a pretty big one. https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000GzQNSA0

Mark Vonk (mark.vonk@dahvo.com)
2019-09-04 16:51:10

*Thread Reply:* Never seen this issue in the wild anywhere. Might be that some Core had it, but issue did not present itself in a bad way.

Almar Diehl (almar.diehl@blaud.com)
2019-09-04 17:16:16

*Thread Reply:* 10.3 creates new iOS MDM configurations for all registered iOS devices and pushes those to the devices. The behaviour you are seeing might be a result of this.

macbentosh (benbergthold@gmail.com)
2019-09-04 16:30:40

good to go to 10.4?

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-04 16:35:15

*Thread Reply:* Wait for 10.4.0.1

John Zmyslowski (John.Zmyslowski@Blackstone.com)
2019-09-04 16:52:35

*Thread Reply:* 10.4.0.1 was released today. installed this morning, confirming so far that it resolves the custom app branding issue for apps@work and the sentry to core disconnect issue.

👍 Ladislav Blazek, MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-09-04 17:58:49

Has anyone a good source for a technical comparison between Intune and MobileIron? Looking for the advantages of MobileIron. There was one on emm.how published by Brandon. Not sure if this is still accurate. Here is the link: https://emm.how/t/common-issues-limitations-of-microsoft-intune/839

Paul Troisi (ptroisi@troymobility.com)
2019-09-04 20:32:20

@MichaelM21 If you are a partner, there are some good battlecards of MI vs. Intune on the partner site. They are confidential in nature and MI does not like them to be shared with the customer. But you can extract what you need to do the comparison between the 2 platforms.

Justin Butts (justin.butts777@gmail.com)
2019-09-04 22:32:57

^ since I'm not a customer anyone care to shar?

Justin Butts (justin.butts777@gmail.com)
2019-09-04 22:32:59

share

Mark Vonk (mark.vonk@dahvo.com)
2019-09-04 22:46:56

Please be aware this content is quickly incorrect or outdated. The ones from MobileIron are already outdated. Intune moves along and so does MobileIron of course. The difference between the two depends on the use cases of the customer and the point in time. Unless you go into that much details and maintain it constantly, you can only compare them on a very high level, losing all the fine lines.

👍 NicolasR
NicolasR (raison_nicolas@me.com)
2019-09-05 08:45:01

I agree, battlecards are not a good starting point. There is no comparison document and as Mark said, the best approach is to address each use case to focus on the few capabilities required

👍 MichaelM21
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-05 10:45:51

The differences are often also in the details. Such as is a feature beta/preview or live, are the features scalable, are they full or semi automatic, are the features interoperable or working only for some usecases, are there known bugs/limitations, ...

👍 MichaelM21, Justin Butts
Justin Butts (justin.butts777@gmail.com)
2019-09-05 14:22:57

it's hard to articulate just how much using InTune sucks in a quantifiable way

:upvote: Matt Dermody, MichaelM21, Wolfgang Bauer, Mark Vonk
😂 Nick
Justin Butts (justin.butts777@gmail.com)
2019-09-05 14:23:38

You don't know until you're 17 "blades" in to a policy to change one small setting

👍 MichaelM21, Mark Vonk
Justin Butts (justin.butts777@gmail.com)
2019-09-05 14:23:56

or trying to delete a VPP'd app to find that that's just simply something you can't do in InTune

👍 MichaelM21, Mark Vonk
MichaelM21 (mike.miller815@yahoo.com)
2019-09-05 14:43:12

Totally agree with you guys.

MichaelM21 (mike.miller815@yahoo.com)
2019-09-05 14:43:48

Also If Android Enterpise corporate enrollment is important, Intune is out of the game

Nick (nickdiaz@gmail.com)
2019-09-05 22:14:08

*Thread Reply:* What makes you say Intune is out for AE?

MichaelM21 (mike.miller815@yahoo.com)
2019-09-06 06:45:17

*Thread Reply:* COBO still in preview after how many month/years... no COPE in sight! Only COSU with no user affinity.. So what DO do you pick? no way to enable system apps via Intune. No MX support for Zebra Devices via DA.. And while we are at it - no E-FOTA!

Nick (nickdiaz@gmail.com)
2019-09-06 13:30:10

*Thread Reply:* I’m not as familiar with the limitations as you are. Just trying to understand the difference from what both Google and Microsoft are saying when calling Intune “AE Ready” (https://androidenterprisepartners.withgoogle.com/provider/#!/75 ) and the reality. Acknowledged that many use cases aren’t viable.

Android Enterprise
👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-09-06 14:35:11

*Thread Reply:* I have a pretty long list what doesn’t work with Intune. I will share it once I finished it! 😊

👍 Nick
MichaelM21 (mike.miller815@yahoo.com)
2019-09-06 15:58:47

*Thread Reply:* Before I dive into the weekend I’d like to share this one (again) because it always makes me laugh and cry at the same time - I will never understand this action of a non-compliant device: 😂😂🙈🙈

AJ (ajorgensen@mobileiron.com)
2019-09-07 00:46:54

*Thread Reply:* You mean AE Ready**?

😂 MichaelM21
AJ (ajorgensen@mobileiron.com)
2019-09-07 00:47:59

*Thread Reply:* You'll notice the only other vendor with a ** is Google itself.

👍 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-09-07 07:09:17

*Thread Reply:* LMAO 👍:skintone2:

MichaelM21 (mike.miller815@yahoo.com)
2019-09-05 14:44:48

So is the Outlook app on iOS, because there still is no caller-API support to be GDPR compliant

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-09-05 15:17:04

Outlook app on iOS sucks big time anyway, not just because of the missing caller-API...

😂 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-09-05 18:34:53

Not arguing that @Marc van der Kooy 😂

MichaelM21 (mike.miller815@yahoo.com)
2019-09-05 18:41:40

Any release date on Sentry 9.7.2 which obviously will be needed for iOS 13 support due to the new info from MI

Almar Diehl (almar.diehl@blaud.com)
2019-09-05 19:33:13

*Thread Reply:* MobileIron: It is not a requirement to upgrade. In Sentry 9.7.2 what changes is the self-signed certificate format, and Sentry 9.7.2 will generate compatible certificates with iOS 13 and macOS 10.15. As long as the existing certificates on Sentry meet the requirement from this KB, there is no need to upgrade Sentry: https://help.mobileiron.com/s/article-detail-page?urlname=iOS-13-macOS-10-15-Requirements-for-SSL-certificate-trust

MichaelM21 (mike.miller815@yahoo.com)
2019-09-06 06:48:55

*Thread Reply:* Thanks Almar! 👍:skintone2: So the Email that they sent out was to basic!

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-06 11:43:58

*Thread Reply:* There also some discussions that you need Sentry 9.7.2 if you use Access.

👍 MichaelM21
Nick (nickdiaz@gmail.com)
2019-09-05 18:48:19

Heard yesterday that the messaging that went out from MI that 9.7.2 is required for iOS13 support was not correct.

NicolasR (raison_nicolas@me.com)
2019-09-05 21:10:23

SENTRY 9.7.2 IS NOT NEEDED UNLESS YOU USE SELF SIGNED CERTIFICATES OR LEGACY ACCESS! @here As the question came from everywhere today... better now that is said broadcasting 😂

👍 Mark Vonk, Woody, Phil Hackett, MichaelM21, Adrian Patrascu, Wolfgang Bauer
Mark Vonk (mark.vonk@dahvo.com)
2019-09-05 21:21:15

Who is still using self signed certs anyway… Time to stop that BS

👍 Woody, NicolasR, Phil Hackett, Jason, MichaelM21, Daniël Kraaijeveld
👏 NicolasR
🙌 NicolasR
😂 MichaelM21
vincent MILLY (vincent.milly@pongara.fr)
2019-09-06 09:40:36

@vincent MILLY has joined the channel

Conradin Candrian (Conradin.Candrian@swisscom.com)
2019-09-08 10:13:05

@Conradin Candrian has joined the channel

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-09 08:20:17

@Armin Beiner has joined the channel

mahiroux (mhyb.mk@gmail.com)
2019-09-10 13:34:10

Has anyone successfully deployed Cisco Jabber for iOS and Android via mobileiron?

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 13:55:22

Anyone else experiencing issues with Cert Based Auth for Wifi with Core 10.4.0.1? Certs are being issued, but device can’t connect. Only new enrollments are affected - CORRECTION: no device is able to connect via CBA. How can I decrypt the M@W logs? Only via support? Pull client logs is only for Android

Mark Vonk (mark.vonk@dahvo.com)
2019-09-10 19:19:04

*Thread Reply:* I am not sure if the M@W logs will help at all…. If the device can’t connect, you will need the device logs (if Android, use ADB) and your WiFi controller logs to determine the issue.

Mark Vonk (mark.vonk@dahvo.com)
2019-09-10 19:19:41

*Thread Reply:* No generic issue with this on 10.4.0.1 I believe; I did not see any issues so far with client certs.

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 19:47:22

*Thread Reply:* The controller is not even relevant at this point because it looks like the configuration is not being applied on the device because choosing the Wifi SSID manually prompts for a username and password

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 19:49:12

*Thread Reply:* But you are right, could also be an issue with the controller that CBA is not working at all

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 19:49:46

*Thread Reply:* Having said that it worked fine before the upgrade to 10.4.0.1

Mark Vonk (mark.vonk@dahvo.com)
2019-09-10 19:49:47

*Thread Reply:* Aha, so the config fails to be applied. Or the referenced client cert can’t be found. Something like that. Do you see the client cert on the device at all?

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 19:50:35

*Thread Reply:* Yes, the client cert is on the device. Also the wifi config has the status applied on Core

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 19:51:22

*Thread Reply:* I am using the same SCEP for Exchange.. Exchange works though

Mark Vonk (mark.vonk@dahvo.com)
2019-09-10 19:55:48

*Thread Reply:* Scep for Exchange or for Sentry ? Because the Sentry is not really picky about the cert: as long as it’s from the correct CA, the sentry will allow it. Did the Core push new client certs? You mentioned all devices fail to authenticate. If so, the Core must have pushed all new client certs to all devices.

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 20:01:35

*Thread Reply:* Yes, SCEP with Sentry (KCD) for Exchange, but of course without Sentry for Wifi. But we referenced the same SCEP in the wifi and exchange config

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 20:02:39

*Thread Reply:* Yes all devices stopped working.. Have not verified if Core pushed out new certs. Have verified that new enrollments get new certs and they also fails.

Mark Vonk (mark.vonk@dahvo.com)
2019-09-10 20:09:42

*Thread Reply:* I would check that first. Because of the following: if a device, registered prior to the upgrade to 10.4.0.1, did not get new client certs pushed, the “old” certs are still on the device. Hence, these devices should not fail to connect unless on another level something is failing (WiFi controller for example)

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 20:10:09

*Thread Reply:* Gotcha, good point!

Mark Vonk (mark.vonk@dahvo.com)
2019-09-10 20:10:41

*Thread Reply:* If the Core did push out new certs to all devices; there was a change in Core or something else that forced that to happen. That might point to a Core issue and in that case, I would investigate, with MI support, what caused that to happen.

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 20:15:09

*Thread Reply:* Thanks Mark, I will investigate further! 👍:skintone2:

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 21:38:37

*Thread Reply:* Ok I have picked two sample devices. Core has not pushed out new certs for these users and the cert is still on the device, but choosing the SSID on the device brings up the dialog for username/password. Will check the controller tomorrow, but it seems that there is an issue with the wifi config. Found out that a lot of other devices are suddenly in the watchlist of the wifi config but nothing was changed within the config - not my sample devices though

MichaelM21 (mike.miller815@yahoo.com)
2019-09-11 14:23:46

*Thread Reply:* I had to remove the trusted certificate names of the network controller from the wifi config even though they are still valid!

MichaelM21 (mike.miller815@yahoo.com)
2019-09-11 15:27:09

*Thread Reply:* Thats the one!

Phil Burk (philburk@mac.com)
2019-09-10 14:15:42

Customer is migrating to Apple Business Manager, finally. Has multiple MI Cores (3). Does this require multiple VPP tokens, one for each server? How the heck does this work? I am new to MI and VPP as well, I came from managing computers and at $oldJob we didn't use VPP.

Tobias (tobias.gruenewald@ebf.com)
2019-09-10 14:57:28

yes, one VPP token for each Core. If the three Cores should use distinct VPP apps and license pools you can define multiple locations and generate one VPP token for each location.

Phil Burk (philburk@mac.com)
2019-09-10 14:57:47

as suspected, thank you for confirming

macbentosh (benbergthold@gmail.com)
2019-09-10 17:14:47

anyone @here ever seen this error for vpp?

macbentosh (benbergthold@gmail.com)
2019-09-10 17:14:48

SSErrorDomain error 141.)</string>

MichaelM21 (mike.miller815@yahoo.com)
2019-09-10 21:40:59

*Thread Reply:* Is there more info within the error message? Whats your issue - prompting for an Apple ID?

AJ (ajorgensen@mobileiron.com)
2019-09-11 01:43:26

*Thread Reply:* try refresgh vpp info to the platform

AJ (ajorgensen@mobileiron.com)
2019-09-11 01:43:42

*Thread Reply:* usually means there is a licence allocation error

NicolasR (raison_nicolas@me.com)
2019-09-11 08:15:24

*Thread Reply:* Apple confirmed there are VPP issues that they are investing on

Tobias (tobias.gruenewald@ebf.com)
2019-09-11 09:16:34

*Thread Reply:* Hopefully they are investigating 😉 🤣

😂 NicolasR
MichaelM21 (mike.miller815@yahoo.com)
2019-09-11 14:24:56

*Thread Reply:* @NicolasR do you have a reference for that?

NicolasR (raison_nicolas@me.com)
2019-09-11 14:25:19

*Thread Reply:* not anything specific, just info I heard internally.

👍 MichaelM21
macbentosh (benbergthold@gmail.com)
2019-09-11 15:40:01

how long do you all wait at this screen before force rebooting it?

macbentosh (benbergthold@gmail.com)
2019-09-11 15:40:38

nvm guess all i needed to do was message this group and it would reboot

Jason (jasonh@bridgeway.co.uk)
2019-09-11 16:28:13
😄 Phil Burk, Almar Diehl, NicolasR
✅ NicolasR
Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-09-12 09:02:38

Is anyone familiar with this error generated by MobileIron syncing DEP devices? "Check updates for DEP Account 'xxx' failed with reason : oauthproblemadvice Bad Request."

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-12 10:09:31

is the token still valid?

MichaelM21 (mike.miller815@yahoo.com)
2019-09-12 11:40:24

Anyone seen this on Email+ for iOS?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-12 12:30:33

are one or more certificates in the file?

MichaelM21 (mike.miller815@yahoo.com)
2019-09-12 12:32:18

In which file to you mean? We use KCD with exchange. We reference the SCEP in the email+ config.. The same for native mail with the Exchange config, which works. Only email+ fails.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-09-13 07:28:19

*Thread Reply:* havent seen this at a scep profile yet. We had a very similar problem with smime certs at email+. Seems it does not like all types of certificates/parameters.

Woody (eric.woodland@trust.tc)
2019-09-12 16:18:14

Just had a colleague refer to MobileIron as Mountain Iron! 😆

Tobias (tobias.gruenewald@ebf.com)
2019-09-12 16:45:01

Yea, MountainIron is the new brand, will be announced soon

😆 Woody, Justin Butts, JP Guldfeldt, Jack Madden
Justin Butts (justin.butts777@gmail.com)
2019-09-12 17:22:52

Where do I buy

Woody (eric.woodland@trust.tc)
2019-09-12 18:17:09

Nice PS work there @Tobias!

Matt Dermody (jmdermody@gmail.com)
2019-09-12 19:08:39

That’s great. I assume they were confused with Iron Mountain

JmB (jean-marc.bichaud@econocom.com)
2019-09-13 09:34:04

Hello @here, question on Access Delegated IDP (ADFS + O365), when deploying Access, you only have to set a Delegated pair with ADFS and run the script on ADFS ? is that all for configuring the flow traffic ?

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-13 09:37:09

*Thread Reply:* Hi Jean-marc, as far as I am aware - yes

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-13 09:38:17

*Thread Reply:* I implemented this in our staging environment -> you need to make sure that you got the certificate mapping in place - also the powershell script might add some further lines to the onload.js for the ADFS Web Theme that you are using for difference between Mobile and Workplace

👍 JmB
JmB (jean-marc.bichaud@econocom.com)
2019-09-13 15:53:19

*Thread Reply:* Thanks Armin, up & Running :)

Dennis Wittig (dennis.wittig@ebf.com)
2019-09-13 15:38:19

@Dennis Wittig has joined the channel

Bianca (b.tijssen-van.gelder@belastingdienst.nl)
2019-09-15 08:11:07

@Bianca has joined the channel

Mirko Bülles (mbulles@mobileiron.com)
2019-09-16 14:46:49

@channel For EMEA partners; please check if you have recently received invites/registration for the upcoming EMEA partner events in October/November

Jason Bayton (jason@bayton.org)
2019-09-16 19:52:20

*Thread Reply:* I have not!

macbentosh (benbergthold@gmail.com)
2019-09-16 15:18:56

…Nothing yet.

NicolasR (raison_nicolas@me.com)
2019-09-16 15:33:29

I think @Mirko Bülles mentions EMEA partners events, not US/APJ

Jason (jasonh@bridgeway.co.uk)
2019-09-16 15:46:18

Yup

Miklos Kerekfy (miklos@kerekfy.hu)
2019-09-16 16:07:36

Yes, already registered to Nov 14 Vienna 🙂

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 09:15:47

Has anyone seen the behavior with Android Enterprise Work Profile that for some Apps it just states "Waiting for Download" - it happens in Android 9 Work Profile with an Oppo Device - and also with Android 10 on a Pixel 3 Phone. I see this behavior for Docs@Work and some other Apps Other apps that should be silent installed are working - but as soon as it tries to download Docs@Work it just blocks everything, other apps are not being downloaded and it just states "Waiting for Download" and spins endlessly On a Samsung S10 with Android 9 is working without an issue.

Jason Bayton (jason@bayton.org)
2019-09-18 09:31:28

*Thread Reply:* Does it resolve after a reboot?

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 09:31:51

*Thread Reply:* Nope - Tried to reboot - also retired and performed a new registration

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 09:31:58

*Thread Reply:* behavior stays the same

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 09:32:27

*Thread Reply:* Sometimes I can cancel the Docs@Work download and it jumps to the next app - but not always - and still docs@work never showed up on the oppo or pixel device

Jason Bayton (jason@bayton.org)
2019-09-18 09:33:36

*Thread Reply:* I wouldn't count on anything working properly with oppo/Xiaomi/related, but on pixel that's unusual. Indeed cancelling the stalled app gets things moving for me, and it's not limited to WP.

👍 AJ
Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 09:34:32

*Thread Reply:* Yeah - I am not sure if I am hitting this issue on Pixel because of Android 10

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 09:34:48

*Thread Reply:* Because on Samsung with Android 9 everything is working - and I am also not a fan of those oppo devices

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 09:34:59

*Thread Reply:* but from Pixel I would have expected that this should be working without an issue

AJ (ajorgensen@mobileiron.com)
2019-09-19 04:54:39

*Thread Reply:* Does it look ok on https://play/google.com/work

MichaelM21 (mike.miller815@yahoo.com)
2019-09-18 12:49:02

Is anyone using a proxy with web@work on iOS. I want to send all the external traffic through a proxy, the tunneled services don’t have to go through the proxy. Is there a way to achieve that?

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 13:27:38

*Thread Reply:* I think you can do this with Advanced Traffic Control Settings on Sentry -> there you can specify a proxy and also specify which traffic should go through sentry directly allowed and what traffic should go through the proxy

Armin Beiner (Armin.Beiner@swisscom.com)
2019-09-18 13:27:55

*Thread Reply:* I am not sure if this is what you are looking for

🙏 MichaelM21
System Admin (sagar080890@gmail.com)
2019-09-18 16:33:26

Guys one of the user is having challenge while connecting iPad to Mac, quicktime is not recognizing iPad..user wants to screen sharing from ipad to mac..user have full USB access to Mac..any specific setting need to be done in Mac or ipad

MichaelM21 (mike.miller815@yahoo.com)
2019-09-18 19:04:04

*Thread Reply:* Is this a DEP device where perhaps the USB pairing is disabled? Can you pair the iPad to the Mac?

👍 Justin Butts
macbentosh (benbergthold@gmail.com)
2019-09-18 22:58:53

getting this error on about every 10th device generateXML: Client: 1073753189 -- No MDM device certificate found (event 201276587)

AJ (ajorgensen@mobileiron.com)
2019-09-19 04:52:08

*Thread Reply:* Sounds like a DEP deployment in which the agent is deployed by VPP and hasnt been activated within 24h of enrollment

mahiroux (mhyb.mk@gmail.com)
2019-09-19 17:41:03

On iOS 13+, I can save managed email attachments from Native Mail app to 'Files App'.Is there a way to restrict this besides using Sentry attachment control?

Mark Vonk (mark.vonk@dahvo.com)
2019-09-19 18:31:06

Depends on how you set the managed > unmanaged apps and unmanaged > managed app restrictions. If you do not allow from managed to unmanaged, in theory, it should not allow you to save it to files (because unmanaged). If it does, I assume it’s a bug..

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-19 18:48:51

@mahiroux @Mark Vonk there is known issue with iOS 13.0 - Managed data can bypass Open-in restrictions using Files app - should be fixed in iOS 13.1 beta 2 - see https://help.mobileiron.com/s/article-detail-page?urlname=MobileIron-Guidance-on-iOS-13-iPadOS-13-Compatibility

👍 Mark Vonk, Jason
mahiroux (mhyb.mk@gmail.com)
2019-09-19 19:34:04

@Ladislav Blazek With iOS 13.0,managed data from app-connect apps such as Docs@work were able to save in to Files app,that is resolved in iOS beta 13.1 beta2,however i am still able to save managed documents from native mail app onto Files App.

Ladislav Blazek (ladislav@lblazek.cz)
2019-09-19 19:47:09

@mahiroux yes that is true. But try to open document from the Files app. You will notice that saved document is still managed and it is possible to share/open it only to/in managed apps. I just tested it on the latest 13.1 beta.

mahiroux (mhyb.mk@gmail.com)
2019-09-20 06:16:02

@Ladislav Blazek You are right.Documents are managed even if it is saved on files app.Would this documents become unmanaged if EMM is removed from the device?

Almar Diehl (almar.diehl@blaud.com)
2019-09-20 10:13:59

Hi, when enrolling an Android Enterprise COBO device using the afw#mobileiron.core method the drop-down menu for (quick) settings is not available (tested both on Nokia 8 and Samsung XCover 4s). When enrolling the same devices using either NFC bump or QR code does have the drop-down options available. Anyone know if this is a MobileIron or Android issue?

AJ (ajorgensen@mobileiron.com)
2019-09-23 01:36:41

*Thread Reply:* post-provisioning but pre-enrolment?

AJ (ajorgensen@mobileiron.com)
2019-09-23 01:37:29

*Thread Reply:* or post enrolment with the kiosk launcher and lock task active?

Almar Diehl (almar.diehl@blaud.com)
2019-09-23 08:45:34

*Thread Reply:* Post provisioning, no kiosk.

Jason Bayton (jason@bayton.org)
2019-09-20 11:10:44

MobileIron I'd assume. Check if the same default policies are being applied (via ticket)

Kiran Patel (kiran@kiranpatel.net)
2019-09-21 15:22:37

Anyone notice that on iOS 13 that Apps@Work doesn’t fit the screen anymore as full screen web clips show the url on top in new UX? This means the bottom icons on a phone without a button (X, XS, etc) can’t easily tap the bottom row of icons

MichaelM21 (mike.miller815@yahoo.com)
2019-09-23 14:24:57

Are there any specific Firewall exceptions for Cloud Notification Service with Email+ on iOS with Core? (not Realtime CNS).. it looks like CNS is not working when a device is connected to our company wifi. 4G connections seems to work, CNS triggers within the 300sec.

NicolasR (raison_nicolas@me.com)
2019-09-23 14:43:17

*Thread Reply:* Known issues on going: trust.mobileiron.com

NicolasR (raison_nicolas@me.com)
2019-09-23 14:43:34

*Thread Reply:* SET-18609

NicolasR (raison_nicolas@me.com)
2019-09-23 14:44:53

*Thread Reply:* appears to be fixed as per internal comment since 3:33 PM but need to rely on official status to be sure. 😉

MichaelM21 (mike.miller815@yahoo.com)
2019-09-23 16:47:08

*Thread Reply:* Oh shit.. ok thanks totally missed that ✌️:skintone2:

MichaelM21 (mike.miller815@yahoo.com)
2019-09-25 09:52:44

*Thread Reply:* Ok we found out that the notifications do not arrive outside of business hours. The work hours feature is disabled within Email+, but still no notifications arrive at the evening. Opening Email+ the next morning brings all the emails. Any ideas?

NicolasR (raison_nicolas@me.com)
2019-09-25 10:27:10

*Thread Reply:* nope

macbentosh (benbergthold@gmail.com)
2019-09-24 16:47:08

Anyone else having to reenroll devices that came from a backup still?

Pierre (pierre.tabanous@digitaldimension.fr)
2019-09-25 08:32:11

*Thread Reply:* iOS backups ? DEP or not ? if so, this has always been a big issue. There is a product bulletin within MI about it and in the comments everybody has its own recipe, which work for some and not for others...

Sherezade (sfraile@offshoretech.net)
2019-09-26 08:00:49

@Sherezade has joined the channel

Sherezade (sfraile@offshoretech.net)
2019-09-26 08:07:56

hi team, have a problem. I have a CORE 10.3 and a SENTRY 9.6.1. And I use Android Enterprise configure. The problem happend when use docs@work. In it, I have configure a networkdrive, It can see in docs@work but when I try to access a metadata error happend "error downloading metadata:Invalid response from server was obtained. Contact your administrator". The Sentry is a Standalone Sentry.

Almar Diehl (almar.diehl@blaud.com)
2019-09-26 13:54:52

*Thread Reply:* Do you also have MobileIron Tunnel app configured on the device?

Sherezade (sfraile@offshoretech.net)
2019-09-26 16:02:10

*Thread Reply:* No, is it necessary? I think is only necessary configure in docs@work app: AppTunnel rule {"sentryHostName": "https://xx.xxx.net", "sentryPort": "445", "domainPattern": ["*. *"]}

Martin Hodgson (martinh@bridgeway.co.uk)
2019-09-26 18:30:18

*Thread Reply:* Tunnel app isn’t required. Sentry port try 443 “sentryService” appears to be missing, following sentryPort, such as “sentryService”:“CIFS”

Have it working fine with Kerberos auth

Martin Hodgson (martinh@bridgeway.co.uk)
2019-09-26 18:31:15

*Thread Reply:* Debug on Sentry will confirm if device is hitting it

Sherezade (sfraile@offshoretech.net)
2019-09-27 08:21:14

*Thread Reply:* thanks I test port 443 and 445 with the same result. Finally it works, without tunnel app, without “sentryService”:“CIFS” in JSON. I don't know how. I hate JSON!! but thanks for all!!

JmB (jean-marc.bichaud@econocom.com)
2019-09-26 09:25:58

Hello guys @here, Is possible to automatically install WebClip on iOS ? I only found configuration to push it in the Apps@Work... (Core 10.4) Thanks, have a great day

NicolasR (raison_nicolas@me.com)
2019-09-26 09:26:18

yep

NicolasR (raison_nicolas@me.com)
2019-09-26 09:26:28

CORE or Cloud?

JmB (jean-marc.bichaud@econocom.com)
2019-09-26 09:26:38

Core

NicolasR (raison_nicolas@me.com)
2019-09-26 09:26:55

Policies & Config > Configuration > Add new > iOS > Webclip

JmB (jean-marc.bichaud@econocom.com)
2019-09-26 09:27:38

arf Using policy instead of WebApplication !

JmB (jean-marc.bichaud@econocom.com)
2019-09-26 09:27:43

thanks mate

NicolasR (raison_nicolas@me.com)
2019-09-26 09:28:54

😉

macbentosh (benbergthold@gmail.com)
2019-09-26 18:22:43

Anyone @here remember where to change the setting that prevents the users from being notified in the app about a privacy change?

macbentosh (benbergthold@gmail.com)
2019-09-26 18:32:58

Also why is this crap always blank when I pick more than one device!!??

JmB (jean-marc.bichaud@econocom.com)
2019-09-27 10:55:27

Hello @here, any idea on how to enable system apps on the personal side (COPE) like Gallery & Camera on Samsung ? Theses 2 apps are only displayed on the work profile.

Almar Diehl (almar.diehl@blaud.com)
2019-09-27 11:03:31

*Thread Reply:* I only got this working by enabling all system apps in KME.

JmB (jean-marc.bichaud@econocom.com)
2019-09-27 13:23:29

*Thread Reply:* Thanks, I just tried and you're right, Camera & Gallery are displayed in the personal profile only if you enable all system Apps in KME...

JmB (jean-marc.bichaud@econocom.com)
2019-09-27 13:32:47

Hello @here, is someone using Help@Work in COPE mode on Android Enterprise (Fully managed device with work profile) ? The Mobile@Work client being on the personal profile, the request for remote session is asked on the personal side ! So it asks for the user to download quicksupport on the personal Play Store...

Ajay Patel (ajay5675@msn.com)
2019-09-27 14:28:42

trying to help a customer on mobileiron, however as i've never seen the portal im hoping someone can help here. Where would i go to see a list of devices that have been been synced from the customers ABM account? For example in WS1, you go to devices > lifecycle and see them in there?

JmB (jean-marc.bichaud@econocom.com)
2019-09-27 15:03:48

*Thread Reply:*

Ajay Patel (ajay5675@msn.com)
2019-09-27 15:43:27

*Thread Reply:* @JmB thanking you kindly sir!

Julian Brennan (jbrennan@vmware.com)
2019-09-30 05:30:53

@Julian Brennan has joined the channel

Ala Almaet (ala@alaalmaet.com)
2019-10-01 01:07:27

@Ala Almaet has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-10-02 11:09:28

I need to change the apple id of the mdm certificate on Core because the apple id doesn’t exist anymore and I can‘t renew the cert. If I use a new cert, do I have to reenroll every iOS device?

aaron (aaron@groundctl.com)
2019-10-02 11:23:03

Yes, but Apple enterprise support can help you avoid that.

MichaelM21 (mike.miller815@yahoo.com)
2019-10-02 11:44:31

It looks like they can’t. We have raised a ticket with Apple and they said there is no way to restore the apple id, because it was deleted month ago

😱 NicolasR
Phil Burk (philburk@mac.com)
2019-10-02 12:35:06

eeek

macbentosh (benbergthold@gmail.com)
2019-10-02 15:43:23

anyone @here having users on iOS 13 getting a message about downloading the rest of the message first before replying or forwarding?

Ajay Patel (ajay5675@msn.com)
2019-10-02 15:44:08

*Thread Reply:* i did have this issue with the beta, but 13.1 GA seemed to resolve this for me

mahiroux (mhyb.mk@gmail.com)
2019-10-02 15:46:40

*Thread Reply:* I have noticed this in 13.1 as well.

Kiran Patel (kiran@kiranpatel.net)
2019-10-02 15:50:50

*Thread Reply:* Yes I've seen this personally in the beta and still with 13.1.2. Also noticed an increased uptick on when you reply it trims the body

Ajay Patel (ajay5675@msn.com)
2019-10-02 15:52:33

*Thread Reply:* i was getting all of this in beta versions (every one since 13 became available) but im not getting this on my new iPhone 11 running non beta software

macbentosh (benbergthold@gmail.com)
2019-10-02 16:00:02

*Thread Reply:* exchange only or IMAP email too?

Ajay Patel (ajay5675@msn.com)
2019-10-02 16:00:19

*Thread Reply:* only tested with exchange

macbentosh (benbergthold@gmail.com)
2019-10-02 16:10:24

*Thread Reply:* not seeing it with gmail

macbentosh (benbergthold@gmail.com)
2019-10-02 16:14:35

*Thread Reply:* any postings about this? The exchange guys are pointing the finger at Mobileiron

Ajay Patel (ajay5675@msn.com)
2019-10-02 16:28:19

*Thread Reply:* definately not MobileIron, im just using nativeActivesync (although as mentioned no longer seeing the issue)

macbentosh (benbergthold@gmail.com)
2019-10-02 16:31:57

*Thread Reply:* we still are… Wonder if i need to update the users and setup email again

macbentosh (benbergthold@gmail.com)
2019-10-02 16:35:14

*Thread Reply:* sentry version matter?

Kiran Patel (kiran@kiranpatel.net)
2019-10-02 17:07:44

*Thread Reply:* We are seeing the issue with a managed mail profile directly to Office 365 (no sentry in the mix) so that should rule that out

Aseleven (lee@aseleven.co.uk)
2019-10-02 15:43:52

Nope

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-02 16:04:31

I’m looking for a document how to get MI Tunnel working with iOS SSO/CBA with local CA for Safari. I think I’m almost there but just missing the last steps to get it working.

Kiran Patel (kiran@kiranpatel.net)
2019-10-02 17:06:26

*Thread Reply:* did you import the MI Root cert into your NTAuth store?

Kiran Patel (kiran@kiranpatel.net)
2019-10-02 17:08:04

*Thread Reply:* here is the command we ran

Kiran Patel (kiran@kiranpatel.net)
2019-10-02 17:08:06

*Thread Reply:* certutil -enterprise -addstore NTAuth MobileIronCACertFilename.cer

Kiran Patel (kiran@kiranpatel.net)
2019-10-02 17:08:16

*Thread Reply:* needs to be run by an Enterprise Admin I believe

Kiran Patel (kiran@kiranpatel.net)
2019-10-02 17:09:04

*Thread Reply:* also what's your SSO config in MI and Tunnel SRV key pair look like?

👍 MichaelM21
Kiran Patel (kiran@kiranpatel.net)
2019-10-02 17:09:11

*Thread Reply:* I've spent more time on this than I'd like to admin 🙂

AJ (ajorgensen@mobileiron.com)
2019-10-03 02:57:41

*Thread Reply:* yeah id be using customer PKI/SCEP before adding local CA to the NTAuth store

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-03 08:40:10

*Thread Reply:* Kiran I did that but stil no result on the device

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-03 08:41:10

*Thread Reply:* this is my SingleSignOn config

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-03 08:42:09

*Thread Reply:* and the SRV record in the tunnel

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-03 08:42:33

*Thread Reply:* i think its in the certificate or some thing on de domaincontroller it self

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-03 08:43:20

*Thread Reply:* in the event manager i see a failed smartcard logon due to a certificate error

Kiran Patel (kiran@kiranpatel.net)
2019-10-03 16:20:16

*Thread Reply:* Which local CA are you using now? MI Core Local CA?

👍 Peter-Marc Krombos
Kiran Patel (kiran@kiranpatel.net)
2019-10-03 16:21:26

*Thread Reply:* What do your safari domains in the VPN profile look like?

Kiran Patel (kiran@kiranpatel.net)
2019-10-03 16:22:42

*Thread Reply:* have you tried in the SSO config the URL prefix to be http://.mmsdemo.nl & https://.mmsdemo.nl

Kiran Patel (kiran@kiranpatel.net)
2019-10-03 16:22:55

*Thread Reply:* also try removing the application identifier to rule that out.

Kiran Patel (kiran@kiranpatel.net)
2019-10-03 16:23:10

*Thread Reply:* for example if you're testing with a webclip the identifier is different I believe

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-04 12:36:08

*Thread Reply:* @Kiran Patel I'm using MI Local CA and changing the SSO config URL to http//.mmsdemo.nl is not allowed to do so i changed it to http://**.mmsdemo.nl but it does not change anything. I am still be prompted for username/password. if i leave out the certificate in the SSO Config the SSO prompt is showed. When i fill in the password i will be signed in.

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-04 12:37:26

*Thread Reply:* in the VPN in the safari domains i have mmsdemo.nl filled in.

Peter-Marc Krombos (pm.krombos@gmail.com)
2019-10-04 12:37:53

*Thread Reply:* everything is working VPN and SSO except for the CBA part

Kiran Patel (kiran@kiranpatel.net)
2019-10-04 16:58:16

*Thread Reply:* for Safari domains do you have MI Access with wildcard split tunnel?

Kiran Patel (kiran@kiranpatel.net)
2019-10-04 16:58:26

*Thread Reply:* if not you may have to specific the DC's in there and specific web servers

MichaelM21 (mike.miller815@yahoo.com)
2019-10-06 20:08:25

*Thread Reply:* I believe we had the same issues with Core as local CA, SCEP via NDES works fine. I believe there is a document somewhere that for iOS SSO it is not recommended to use the local CA!

Kiran Patel (kiran@kiranpatel.net)
2019-10-07 20:21:00

*Thread Reply:* are you testing this on a device that has iOS 13.2 Beta 1 by any chance? I actually recently faced issues with that but works fine for me in iOS 13.1.2

Cédric REIN (cedric.rein@mobinergy.com)
2019-10-03 20:06:44

@Cédric REIN has joined the channel

Lukas Braun (lukas.braun@ebf.com)
2019-10-04 16:19:06

@Lukas Braun has joined the channel

Bastien B (bastienb@gmail.com)
2019-10-04 16:47:49

@Bastien B has joined the channel

Michael Brown (nzmikeyb@gmail.com)
2019-10-07 19:58:26

@Michael Brown has joined the channel

Iortx (jorge.barturen@gmail.com)
2019-10-08 22:37:11

@Iortx has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-10-10 13:33:02

How can I assign user portal permissions to an OU? We want to assign User Portal permissions to our entire domain users, but without the use of groups.

Lukas Braun (lukas.braun@ebf.com)
2019-10-10 13:36:40

*Thread Reply:* Are you searching for this?

MichaelM21 (mike.miller815@yahoo.com)
2019-10-10 13:36:59

*Thread Reply:* Thanks, yes 🙏 - and your „test“ is the name of the OU, right?

Lukas Braun (lukas.braun@ebf.com)
2019-10-10 13:37:41

*Thread Reply:* Yea, its blank if you open it without an entry inside the search list. Took a test OU for the screenshot. 🙂

MichaelM21 (mike.miller815@yahoo.com)
2019-10-10 13:38:11

*Thread Reply:* Perfect! 🙏

Lukas Braun (lukas.braun@ebf.com)
2019-10-10 13:45:31

*Thread Reply:*

🙏 MichaelM21
Kiran Patel (kiran@kiranpatel.net)
2019-10-14 21:58:04

Anyone successfully send a PNS or SMS using the MI Core API? Trying the following but having an issue

Kiran Patel (kiran@kiranpatel.net)
2019-10-14 21:58:34
Kiran Patel (kiran@kiranpatel.net)
2019-10-14 21:59:54

postman returns an emtpy value and powershell errors out on a 405 using the Invoke-RestMethod to the API endpoint

jaimin.s (jaimins@gmail.com)
2019-10-14 22:02:29

Is that the correct end point?

Ladislav Blazek (ladislav@lblazek.cz)
2019-10-14 22:47:06

@Kiran Patel use APIv2 and Post method. Correct endpoint is: /api/v2/devices/action?adminDeviceSpaceId=1&actionType=SEND_MESSAGE

Kiran Patel (kiran@kiranpatel.net)
2019-10-15 02:03:58

Thanks - found the updated API documentation for this as well!

MichaelM21 (mike.miller815@yahoo.com)
2019-10-15 17:20:55

Is it possible with Email+ (iOS ans AE) to attach pictures but choose the size of the attached images like with the native client?

NicolasR (raison_nicolas@me.com)
2019-10-15 23:51:18

*Thread Reply:* Nope

👍 MichaelM21
Kiran Patel (kiran@kiranpatel.net)
2019-10-16 16:23:44

Is it possible with MI Access to use a CA rule to limit app access based on Bundle ID and not User Agent?

Mark Vonk (mark.vonk@dahvo.com)
2019-10-16 17:25:49

*Thread Reply:* Do not think so. The user agent is part of the saml request, bundle ID not.

NicolasR (raison_nicolas@me.com)
2019-10-17 15:05:42

*Thread Reply:* some apps pass the bundle id in the user agent

NicolasR (raison_nicolas@me.com)
2019-10-17 15:05:56

*Thread Reply:* so based on that you can create rules

Mark Vonk (mark.vonk@dahvo.com)
2019-10-17 15:33:18

*Thread Reply:* Do you have an example of an app that does that?

NicolasR (raison_nicolas@me.com)
2019-10-17 15:33:33

*Thread Reply:* salesforce I think, let me check

NicolasR (raison_nicolas@me.com)
2019-10-17 15:35:23

*Thread Reply:* Outlook does it

NicolasR (raison_nicolas@me.com)
2019-10-17 15:35:44

*Thread Reply:* salesforce as well

NicolasR (raison_nicolas@me.com)
2019-10-17 15:35:50

*Thread Reply:* ok sorry

NicolasR (raison_nicolas@me.com)
2019-10-17 15:36:00

*Thread Reply:* my bad. It’s not the app that sends that but MI Tunnel

NicolasR (raison_nicolas@me.com)
2019-10-17 15:37:44

*Thread Reply:* Here is the UA for Salesforce app: SalesforceMobileSDK/7.0.0 iOS/12.4 (iPhone) Chatter/220.3(6138468) Hybrid uid2B90ADF6-05B4-4532-8BAD-6701CE66C82B ftrMM Mozilla/5.0 (iPhone; CPU iPhone OS 124 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 iPhone/12.4 iOSiPhone Salesforce1/220.3(6138468)

Kiran Patel (kiran@kiranpatel.net)
2019-10-17 16:47:33

*Thread Reply:* MS office apps send bundleid but it’s not in user agent

Kiran Patel (kiran@kiranpatel.net)
2019-10-17 16:48:12

*Thread Reply:* Any way to have the CA policy look at BundleID rather than UserAgent?

NicolasR (raison_nicolas@me.com)
2019-10-17 17:06:00

*Thread Reply:* Create App Rule

NicolasR (raison_nicolas@me.com)
2019-10-17 17:06:23

*Thread Reply:*

Kiran Patel (kiran@kiranpatel.net)
2019-10-17 18:57:24

*Thread Reply:* I tried that - looks like this but doesn't seem to work

Kiran Patel (kiran@kiranpatel.net)
2019-10-17 18:58:15

*Thread Reply:*

Kiran Patel (kiran@kiranpatel.net)
2019-10-17 18:58:32

*Thread Reply:*

NicolasR (raison_nicolas@me.com)
2019-10-17 22:05:51

*Thread Reply:* Your issue is because of the wildcard character I think. You should just put “com.microsoft.office” and select partial match

Kiran Patel (kiran@kiranpatel.net)
2019-10-17 22:06:55

*Thread Reply:* nice - will try that out

Kiran Patel (kiran@kiranpatel.net)
2019-10-17 22:06:56

*Thread Reply:* thanks

NicolasR (raison_nicolas@me.com)
2019-10-22 16:13:36

*Thread Reply:* I’m on a call with a customer and looks like the bundle id is not being reported every time. I guess we report that when “CertSSO” is enabled (the zero sign on experience for mobile)

Camilo Lotero (clotero@vmware.com)
2019-10-17 15:16:13

@Camilo Lotero has joined the channel

macbentosh (benbergthold@gmail.com)
2019-10-17 20:34:19

Hey @here today I started get a profile invalid on enrollment on some devices (2 so far) I can enroll other devices with no issue but 2 of them today will not enroll. New devices non dep

Mark Vonk (mark.vonk@dahvo.com)
2019-10-17 20:56:31

Are you sure the Timezone was set correctly, and thus, the device had the proper time set? That would cause an invalid profile (if only some devices have the issue)

macbentosh (benbergthold@gmail.com)
2019-10-17 21:19:39

yes.

MichaelM21 (mike.miller815@yahoo.com)
2019-10-18 08:09:55

Has anyone tested APN deployment (cellular) for an iOS eSIM with current Core version? That is not working for me, so I guess this is not supported yet

Mark Vonk (mark.vonk@dahvo.com)
2019-10-18 11:00:07

Are you looking to disable the eSim?

MichaelM21 (mike.miller815@yahoo.com)
2019-10-18 11:04:39

*Thread Reply:* No we use custom APNs with our physical SIM cards and we deploy the APn via MobileIron. Now we want to do the same with the eSIM devices. Not sure if the provider has to put that information within the QR code for the setup of the eSIM or if we can continue to use the APN deployment via Core

Mark Vonk (mark.vonk@dahvo.com)
2019-10-18 12:23:34

*Thread Reply:* I do not think that is possible. The cellular payload does not mention anything about eSim at all. Maybe they have set it up very generically, and works with any voice/data service, but I doubt it.

Peter Mohr (pm@conscia.com)
2019-10-18 14:39:43

*Thread Reply:* shouldn't the APN policy apply to eSiM also. Why would it be different?

Mark Vonk (mark.vonk@dahvo.com)
2019-10-18 15:06:05

*Thread Reply:* That is exactly what is was wondering. Apparently it is not working. But the cellular payload does mention: A cellular payload configures cellular network settings for the user-selected data SIM on the device. I have no experience with the eSim and I am unsure what Apple means by "user-selected data SIM" in that respect.

Peter Mohr (pm@conscia.com)
2019-10-18 15:35:33

*Thread Reply:* The user needs to select which sim (eSim or physical) should be used for data. That sim could then be configured with the policy

MichaelM21 (mike.miller815@yahoo.com)
2019-10-18 16:48:36

*Thread Reply:* Yes thats what I thought too. But we have only the eSIM active on these devices for now, and the APN pushed from Core is not being configured on the device.

drew (hello@drewsecomb.com)
2019-10-20 22:12:35

@drew has joined the channel

Nico Hermeling (nico.hermeling@outlook.com)
2019-10-22 08:05:30

@Nico Hermeling has joined the channel

Sherezade (sfraile@offshoretech.net)
2019-10-22 15:33:23

hi team, I have problem with per-app tunnel. I have configured Tunnel App. In terminal, the app show The session is started and connected with the sentry. I want to use chrome like tunneled application (Configuring in admin portal in Tunnel App: AllowedAppList com.android.chrome ) but when I stop the session I can surf the Internet without problems. Core in versión 10.4. Android Enterprise.

Mark Vonk (mark.vonk@dahvo.com)
2019-10-22 20:52:58

*Thread Reply:* What is the problem? That you are able to go to the internet without Tunnel? Or something else?

Jason Bayton (jason@bayton.org)
2019-10-22 22:31:00

*Thread Reply:* Looks like when tunnel is disabled, Chrome has full access to the net where the expectation is it’d be unable to do anything if tunnel is off?

Sherezade (sfraile@offshoretech.net)
2019-10-23 11:54:15

*Thread Reply:* hi team, When Tunnel is disable, i can go to internet. I think is put in chrome AllowedAppList com.android.chrome SplitDomainsList
SearchDomain If the tunnel is disable, you can not use chrome. Is this incorrect?

Mark Vonk (mark.vonk@dahvo.com)
2019-10-23 16:13:53

*Thread Reply:* That is how it indeed works.

👍 Ladislav Blazek
Mark Vonk (mark.vonk@dahvo.com)
2019-10-23 16:15:01

*Thread Reply:* If you want to force it through Tunnel, tunnel should be set to Always On so that the user can't disable it

Sherezade (sfraile@offshoretech.net)
2019-10-23 17:05:36

*Thread Reply:* I activated this in the enterprise profile with the same result

Ajay Patel (ajay5675@msn.com)
2019-10-23 11:16:15

a customer has just said the below statement to me and im a bit baffled, is this true? With Mobile Iron we have noticed they replace the phones existing bootloader with their own so if there is no sim card in the phone when the device is activated then the device is blocked/not activated. Does Samsung replace or modify the bootloader when activating a phone on the Samsung KNOX MDM solution?

Jason (jasonh@bridgeway.co.uk)
2019-10-24 09:19:06

*Thread Reply:* Could it be that Zero Touch Enrolment has been set up on the phone?

Mark Vonk (mark.vonk@dahvo.com)
2019-10-23 16:13:17

No the bootloader is never replaced. Not with Mobileiron or Samsung. Weird statement(s)

Ajay Patel (ajay5675@msn.com)
2019-10-24 08:51:58

it was a very weird statement indeed - i was pretty sure it wasnt the case not sure where and how that got put into their head...

Andrew Olpin (andy@olpin.us)
2019-10-24 23:20:58

Zero touch / ABM would be my guess as well, unless it's some super secret government program where the government requires some sort of custom bootloader.

Ajay Patel (ajay5675@msn.com)
2019-10-25 08:28:24

but if that was the case they would surely work with the OEM to build a bootloader based on their requirements. Thats how i would see it anyway. Samsung will pretty much do anything you ask them do for a 10,000+ device opportunity

Ajay Patel (ajay5675@msn.com)
2019-10-25 12:32:24

is it possible with MI Cloud to make admins sign in using MFA? is there any in built security like in WS1 that can send a one-time session token either via SMS or Email? Or is it possible to use existing iDP like ADFS or OKTA?

AJ (ajorgensen@mobileiron.com)
2019-10-30 02:25:48

*Thread Reply:* You can use Pwd+PIN (User Settinghs)if you haven't integarted an IDP. If you have, obviously you can use MFA from there

ottseba (ottsebadm@gmail.com)
2019-10-25 13:00:22

@ottseba has joined the channel

NicolasR (raison_nicolas@me.com)
2019-10-26 21:33:25

We have support for old Samsung custom rom systems but not sure this still exists @Ajay Patel today this statement is wrong for me

MichaelM21 (mike.miller815@yahoo.com)
2019-10-29 14:08:43

iOS Activation Lock Bypass Code - do I enter this code instead of the unknown Apple-ID password on the device?

Mark Vonk (mark.vonk@dahvo.com)
2019-10-29 14:36:54

*Thread Reply:* Select the iOS device on Core > Actions > iOS only > Send Activation Lock Bypass Code.

🙏 MichaelM21
Mark Vonk (mark.vonk@dahvo.com)
2019-10-29 14:37:15

*Thread Reply:* You can disable the activation lock if your devices are supervised. That's a bit easier

MichaelM21 (mike.miller815@yahoo.com)
2019-10-29 18:52:52

*Thread Reply:* Why would I want to disable the activation lock?

Mark Vonk (mark.vonk@dahvo.com)
2019-10-29 18:55:07

*Thread Reply:* Because you do not need it on corporate supervised devices... you have a Wipe command and the devices are DEP I assume. So the activation lock does not add anything

Mark Vonk (mark.vonk@dahvo.com)
2019-10-29 18:56:35

*Thread Reply:* If lost you can put it in Lost mode...

Mark Vonk (mark.vonk@dahvo.com)
2019-10-29 18:57:12

*Thread Reply:* So find my iPhone with its activation lock is just an annoyance and does not add any extra protection.

MichaelM21 (mike.miller815@yahoo.com)
2019-10-29 20:01:02

*Thread Reply:* But wait.. our devices are corporate owned (and DEP enrolled) but personal use is allowed. So we can (and we did) end up with active private apple ids on the device. Sure we can wipe it via Core, but the private apple id would still prompt after it comes back up, right? Or will the DEP enrollment override this?

Mark Vonk (mark.vonk@dahvo.com)
2019-10-29 20:22:06

*Thread Reply:* With supervised devices, the Activation lock is per default turned off. Are you on MobileIron Core? If so, check your Security Policy. It will have an option to turn on/off the activation lock. Now it seems to be turned on. You can turn that off. It still allows the user to use the iPhone for personal stuff. Only his/her Apple ID will not be associated with Find my iPhone, which enables the activation lock.

🙏 MichaelM21
Peter Mohr (pm@conscia.com)
2019-10-29 20:45:13

*Thread Reply:* Yes. find my iPhone still works even if you disable activation lock for your DEP devices. No need for activation lock in the enterprise

MichaelM21 (mike.miller815@yahoo.com)
2019-10-30 05:50:44

*Thread Reply:* @Mark Vonk ah now it seems a bit clearer! Thanks.. yes we are on Core and the Activation Lock is ON within the Sec Policy. Just because we thought we will need it for the personal apple ids. Did not now that the find my iPhone feature is not relevant for personal apple ids for DEP enrolled devices! Thanks!

Peter Mohr (pm@conscia.com)
2019-10-30 06:36:15

*Thread Reply:* Yes. Remember : find my iPhones ≠ activation lock. The first may or may not enable the latter

🙏 MichaelM21
Woody (eric.woodland@trust.tc)
2019-10-29 16:46:16

Access and GSuite apps on Android. Last I recall, Google’s apps would not use/allow 3rd party apps to route auth traffic through the Tunnel (thus killing the Access/Auth flow). Does anyone know if that is still the case?

Woody (eric.woodland@trust.tc)
2019-10-29 16:46:53

The last time I tested this was with VMW’s Tunnel, but I believe the result will still be the same

Steven Falconer (stevfal@cdw.com)
2019-10-29 19:37:52

@Steven Falconer has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-10-30 19:14:49

Is there a way to enable a Kiosk mode for Windows 10 devices with MobileIron Core? I am guessing it can be done via MobileIron Bridge with the use of Powershell CMDlets like Set-AssignedAccess.. any experiences?

NicolasR (raison_nicolas@me.com)
2019-10-30 21:41:08

*Thread Reply:* Yes but might need some manual SyncML work... Good luck then!

NicolasR (raison_nicolas@me.com)
2019-10-30 21:41:35

*Thread Reply:* I’ll advise to ask PS to do that

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2019-10-31 15:29:19

*Thread Reply:* Thanks, I will look into it :female_technologist:

MichaelM21 (mike.miller815@yahoo.com)
2019-11-03 14:29:31

*Thread Reply:* Am I blind or is there no documentation how to setup Bridge anymore?

AJ (ajorgensen@mobileiron.com)
2019-11-12 01:29:30

*Thread Reply:*

Tobias (tobias.gruenewald@ebf.com)
2019-10-31 08:55:03

Looking for good resources on how to configure iOS Single SignOn configuration with client certificates. We cannot seem to find any documentation what the client certificate needs to contain for AD to be able to correctly map it to the user. We set the NTPrincipalName SAN to the UPN, the cert is issued by an AD PKI but authentication fails.

Peter Mohr (pm@conscia.com)
2019-10-31 08:55:57

*Thread Reply:* did you also enable cert based auth on the domain controllers ?

Peter Mohr (pm@conscia.com)
2019-10-31 08:56:32

*Thread Reply:* check with "certutil -DCInfo" as domain admin

Peter Mohr (pm@conscia.com)
2019-10-31 09:08:02

*Thread Reply:* Always test with username password first and then enable cert later 🙂

✅ Woody
EricKender (ekender@mobileiron.com)
2019-10-31 16:56:38

@EricKender has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-11-03 06:17:03

Is there a setting (KVP?) to prevent Email+ 3.x for iOS to sync the „recently used“ Outlook contacts?

Woody (eric.woodland@trust.tc)
2019-11-04 12:29:45

*Thread Reply:* I’ve not seen one recently. @NicolasR might have a better idea since it’s a MI product.

MichaelM21 (mike.miller815@yahoo.com)
2019-11-04 14:18:46

*Thread Reply:* Right, also not seen anyone in the documentation. But in the past I was provided with hidden KVPs which have not been exposed in the docs! 😜

NicolasR (raison_nicolas@me.com)
2019-11-04 16:09:46

*Thread Reply:* Let me look into that...

NicolasR (raison_nicolas@me.com)
2019-11-04 16:32:06

*Thread Reply:* Nope, nothing either internally

MichaelM21 (mike.miller815@yahoo.com)
2019-11-04 18:28:52

*Thread Reply:* Thanks 👍🦾🍺

JeroenK (j.kruit@zetacom.nl)
2019-11-04 08:05:37

@JeroenK has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-11-08 11:21:11

If I wipe an Android device will the SD card also be erased? I doubt that. We have a new use case where users use the SD card and it should be able to erase it over the air - I doubt that there are APIs for that. The only solution I see to protect the SD card is to encrypt it.

Jason Bayton (jason@bayton.org)
2019-11-08 11:35:53

Your solution is correct.

👍 MichaelM21, Woody
Jani Kostiainen (j.kostiainen@samsung.com)
2019-11-10 10:54:43

@Jani Kostiainen has joined the channel

Jason Pascual (jp@apple.com)
2019-11-10 15:41:26

@Jason Pascual has joined the channel

Wannes De Boodt (wannes.de.boodt@proximus.com)
2019-11-11 11:58:16

@Wannes De Boodt has joined the channel

NicolasR (raison_nicolas@me.com)
2019-11-12 17:15:56

https://www.mobileiron.com/en/company/press-room/press-releases/mobileiron-integrates-with-zebra-technologies-lifeguard

Mobileiron.com
:upvote: Matt Dermody, Phil Hackett, Woody
✅ Woody
👍 JP Guldfeldt
Matt Dermody (jmdermody@gmail.com)
2019-11-12 18:34:02

*Thread Reply:* I think that makes MobileIron the first to market with “Z-FOTA”? Nice

Matt Dermody (jmdermody@gmail.com)
2019-11-12 18:35:31

*Thread Reply:* This part is confusing. The article is supposed to announce support for LifeGuard OTA but then it takes a turn by saying that only MX via OEMConfig is supported and that LifeGuard OTA is coming in the future?

Matt Dermody (jmdermody@gmail.com)
2019-11-12 18:35:36

*Thread Reply:*

NicolasR (raison_nicolas@me.com)
2019-11-12 18:36:47

*Thread Reply:* MobileIron will support Zebra FOTA as soon it’s available from Zebra (early access in R67 for Cloud and GA in R68/CORE 10.6 in January). From what Zebra told us we are the first in market

👍:skin_tone_2: Matt Dermody, Woody, Johannes Harbs, Jason Bayton, MichaelM21, Phil Hackett, JP Guldfeldt
MichaelM21 (mike.miller815@yahoo.com)
2019-11-14 09:48:16

Anyone still using self-signed SMIME certs with iOSEmail+? It looks like after the release if iOS 13 this stopped working. I am not sure but I believe there was something said that self-signed is not supported anymore?

Jason (jasonh@bridgeway.co.uk)
2019-11-14 09:49:30

*Thread Reply:* Correct. Self-signed are not supported with iOS 13 and macOS Catalina.

Jason (jasonh@bridgeway.co.uk)
2019-11-14 09:50:15

*Thread Reply:* https://support.apple.com/en-us/HT210176

Apple Support
MichaelM21 (mike.miller815@yahoo.com)
2019-11-14 10:24:22

*Thread Reply:* Thank you @Jason . In the article you provided I cannot find anything about self signed is not supported. These requirements could also be fulfilled with self-signed certs, could they not?

MichaelM21 (mike.miller815@yahoo.com)
2019-11-14 10:30:23

*Thread Reply:* Ah found it - its the EKU which is not present with private CAs 😜

Jason (jasonh@bridgeway.co.uk)
2019-11-14 10:40:55

*Thread Reply:* Self-signed certificates been deprecated by Apple for a while now. For example, iOS 10.3 tightened up on this futher: https://support.apple.com/en-us/HT204477

Apple Support
Jason (jasonh@bridgeway.co.uk)
2019-11-14 10:50:28

*Thread Reply:* But presumably in this case you’re using a local (self-signed) CA to issue these leaf certs for the users?

MichaelM21 (mike.miller815@yahoo.com)
2019-11-14 13:50:13

*Thread Reply:* Correct! Local PKI

MichaelM21 (mike.miller815@yahoo.com)
2019-11-19 07:02:24

We deploy an additional mail account to all the iOS devices (native mail app) where we sync all the GAL contacts so the caller id also works for the GAL. Is there a payload to prevent users from editing these contacts or adding new contacts? Some user change existing contacts on a regular basis.

MichaelM21 (mike.miller815@yahoo.com)
2019-11-19 07:10:36

*Thread Reply:* I think I found the answer within the AC:

I gotta test if this will also prevent the modification of other accounts or only this specific one!

MichaelM21 (mike.miller815@yahoo.com)
2019-11-19 07:54:36

*Thread Reply:* Ok so this prevents the user from turning ON/OFF the services within the settings, but the contacts can still be edited. I believe there is no payload for that. Gotta look if there is a way with Office365 to make the contacts not editable

MichaelM21 (mike.miller815@yahoo.com)
2019-11-19 08:02:42

*Thread Reply:* Also the problem is - if one account for outlook.office365.com is configured you cannot add a second one with the same fqdn. Is there a working alias for that? outlook.office.com doesn’t work

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-11-19 08:13:20

*Thread Reply:* I dont get it why people think it is important to see who is calling if the person is not important enough to be in my contacts... But maybe one of the GAL Sync Apps out there is an option? They are read only afaik.

MichaelM21 (mike.miller815@yahoo.com)
2019-11-19 08:41:13

*Thread Reply:* You are absolutely right - beats me! Yes I am looking into CiraSync and co. Also I am currently trying to remove all the permissions via Powershell (Add-MailboxFolderPermissions) for the contacts - has no effect. Can still edit items on the iPhone

NicolasR (raison_nicolas@me.com)
2019-11-19 09:57:54

*Thread Reply:* FYI, CORE 10.6 will support these payloads

MichaelM21 (mike.miller815@yahoo.com)
2019-11-19 10:30:27

*Thread Reply:* @NicolasR you mean the payloads of my screenshot above or payloads for prevent editing contacts?

NicolasR (raison_nicolas@me.com)
2019-11-19 10:43:12

*Thread Reply:* no, I don’t think

NicolasR (raison_nicolas@me.com)
2019-11-19 10:43:22

*Thread Reply:* it’s about prevent editing account

MichaelM21 (mike.miller815@yahoo.com)
2019-11-19 11:40:29

*Thread Reply:* Do you have any details on that I could share?

iMZ (mark_zimmermann@me.com)
2019-11-19 12:58:05

@iMZ has joined the channel

iMZ (mark_zimmermann@me.com)
2019-11-19 12:58:23

Who knows a document about the magic number from mobileiron for DEP Backups from iOS Devices ?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-11-19 14:18:05

*Thread Reply:* What magic number? I don't know any recent document from MI on that.

mahiroux (mhyb.mk@gmail.com)
2019-11-20 06:09:10

Has anyone using Adobe reader as managed app.Managed app configurations are not working for us.

MichaelM21 (mike.miller815@yahoo.com)
2019-11-25 19:40:40

Is there any way with MobileIron Core and iOS Native Mail app to use email signatures? Except from transport rules on Exchange or third party tools I don‘t see a feature on Core (except with Email+ I guess) to implement that. Anyone using something similar?

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-11-25 21:16:33

*Thread Reply:* You can set up a Mail config to push a plain text signature. no images, html or variables.

MichaelM21 (mike.miller815@yahoo.com)
2019-11-26 08:35:06

*Thread Reply:* I don‘t see an option for email signatures within the Exchange config on Core to achieve that.

Marc van der Kooy (marc.vanderkooy@gmail.com)
2019-11-26 09:30:08

*Thread Reply:* Im not sure if its Email+ only or general setting, dont have an MI Core at hand

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-11-29 11:35:53

*Thread Reply:* afaik email+ only. Signature for Active Sync is a planned feature for Microsoft Exchange but don't ask me when it will be available.

MichaelM21 (mike.miller815@yahoo.com)
2019-11-26 08:37:56

What exactly is the user experience on an iOS device when I check the option „Use OAuth for Authentication“ within the Exchange config on Core? Will the Safari view controller prompt automatically for authentication on the IdP like ADFS? Or has the user jump into the mail app or the settings?

NicolasR (raison_nicolas@me.com)
2019-11-26 09:13:59

*Thread Reply:* When the setting will be pushed to the device you’ll get a notification that asks to go in settings to set the password

NicolasR (raison_nicolas@me.com)
2019-11-26 09:14:44

*Thread Reply:* then you have a safari view that prompts and if ZSO is enabled, the view closes after few seconds

NicolasR (raison_nicolas@me.com)
2019-11-26 09:14:52

*Thread Reply:* and account is authenticated

NicolasR (raison_nicolas@me.com)
2019-11-26 09:15:00

*Thread Reply:* (ZSO = Zero Sign-On)

MichaelM21 (mike.miller815@yahoo.com)
2019-11-26 10:25:15

*Thread Reply:* Ah ok thanks for the details.. we don‘t have MI Access so no ZSO yet. So the users will have to authenticate manually for now, no big deal for a pilot. The only hurdle could be that the users will not go into the settings or will not find it

NicolasR (raison_nicolas@me.com)
2019-11-26 10:31:04

*Thread Reply:* They will

😜 MichaelM21
Thiemo Scherle (thiemo.scherle@incapptic.com)
2019-11-26 22:03:49

@Thiemo Scherle has joined the channel

Wannes De Boodt (wannes.de.boodt@proximus.com)
2019-12-02 13:44:35

Hi all. one of our customers has a internal and an external DMZ. They want to use Sentry for EAS with one Sentry interface in the public DMZ and another one in the internal DMZ. Is that both supported and possible?

Mark Vonk (mark.vonk@dahvo.com)
2019-12-02 13:49:54

*Thread Reply:* Yes, that is perfectly possible

Wannes De Boodt (wannes.de.boodt@proximus.com)
2019-12-02 13:53:01

*Thread Reply:* 👍thanks mark

Mark Vonk (mark.vonk@dahvo.com)
2019-12-02 18:55:22

*Thread Reply:* Just configure and enable the second interface. Make sure you add the correct routes (and default route) and it should work like a charm

Wannes De Boodt (wannes.de.boodt@proximus.com)
2019-12-04 08:18:25

*Thread Reply:* I can confirm it works as expected. Thanks for your help!

Govi (byodmdm@gmail.com)
2019-12-02 15:15:10

@Govi has joined the channel

Aamir Khan (aamir.tauqir@outlook.com)
2019-12-03 13:22:22

@Aamir Khan has joined the channel

Florian FERRAND (florian.ferrand@econocom.com)
2019-12-03 14:27:27

@Florian FERRAND has joined the channel

MichaelM21 (mike.miller815@yahoo.com)
2019-12-04 14:56:19

How can I enable MAM with an existing MobileIron Core - MAM-Only will not work because I cannot disable the MDM profile. Is there a way like with AppStation? Or will I need another Core instance?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-04 15:06:29

*Thread Reply:* With core its EMM/Appconnect or MAM/Appstation. You will need a another Core.

🙏 MichaelM21
Simon (sudeepn@vmware.com)
2019-12-09 18:21:58

@Simon has joined the channel

Govi (byodmdm@gmail.com)
2019-12-10 04:41:43

Anyone tried MobileIron Help@Work (Teamviewer) with Android Enterprise ?how was it ? nice experience ?

Wannes De Boodt (wannes.de.boodt@proximus.com)
2019-12-10 09:12:47

is MobileIron Access down (tenant eu1)? I can reach the admin portal, but federation seems corrupt on at least 2 customer tenants now

Mark Vonk (mark.vonk@dahvo.com)
2019-12-10 09:18:20

There was maintenance on the EU1 Access system this early morning, but it has completed.

Wannes De Boodt (wannes.de.boodt@proximus.com)
2019-12-10 09:19:24

just logged an urgent support case. here is their feedback: Thank you for reaching Mobileiron support. I will be assisting you on this issue.

Our SRE has identified the issue and currently working on the same at highest priority. I shall get back to you once it is fixed.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-10 10:47:13

its down, you can subscribe notifications when cloud components are down: https://status.mobileiron.com/

status.mobileiron.com
macbentosh (benbergthold@gmail.com)
2019-12-10 18:14:26

ok @here maybe i am losing my mind….I can not force vpp to sync.. When I hit actions and update licences the progress bar doesnt come up it just shows my apps.

Adrian Patrascu (adrian.patrascu88@gmail.com)
2019-12-13 09:10:51

*Thread Reply:* We are having similar issues. We were not able to have this fixed, yet. And automatic sync does not work for us.

Kiran Patel (kiran@kiranpatel.net)
2019-12-10 18:44:38

anyone here use assemble to run install application reports? I would like a way to match devices to be a member of 2 labels to ensure they are recent devices and doesn't include stale devices (out of compliance, not checked in recenlty, etc). Anyone do something similar and have a good way of doing this with assemble?

Kiran Patel (kiran@kiranpatel.net)
2019-12-10 18:44:51

if not with assemble powershell works too if you have a script. 😄

MichaelM21 (mike.miller815@yahoo.com)
2019-12-11 16:06:53

We want to use SMIME with iOS native client (MI Core).The user needs to upload the cert within the SSP. So I have created the user provided config, referenced this config in the Exchange config within the SMIME section and applied both to a label. The user cert (external trusted) is visible on the device and also enabled with the advanced settings of the mail account. But If I create a new email I receive the error „account not setup for signing..“.. found nothing in the Mobile@Work logs, still have to check the xCode logs. Any help? Maybe the cert doesn’t fit the new iOS requirments

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-12 10:34:25

*Thread Reply:* Is the Cert itself enabled for encryption and signing? Is signing and encryption configured in the Exchange Config? What if you disable signing and only leave encryption? Is the Cert also Apple trusted? I would push the Root Cert of the CA regardless of trust. Are the pub certs of the recipients avaliable in the GAL?

MichaelM21 (mike.miller815@yahoo.com)
2019-12-12 14:13:12

*Thread Reply:* You bring up very good points. 1.)The same Cert is already being used on Outlook desktop, so I believe signing and encryption should be in them. 2.)yes, both enabled in the Exchange config. 3.)gotta test if encryption only works 4.)verifying that if it is Apple trusted 5.) so the root cert of the external trusted CA, ok gotta check that. 6.) not sure about that.. is that relevant if the error comes up with choosing „compose new email“.. not sending it, getting the error before that.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-13 08:02:35

*Thread Reply:* 6.) This problem should become visible when you try to add recipients to an new mail.

MichaelM21 (mike.miller815@yahoo.com)
2019-12-13 09:18:24

*Thread Reply:* We found out that the validity of the cert is 3 years! Regarding to the Apple requirements for iOS 13, this is definitely the problem! 😳 also I can’t see id-kp-serverauth OID in the details of the cert! Not sure If I should see it, or if it is only visible showing the details via OpenSSL

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-13 11:52:42

*Thread Reply:* Afaik in either case, the private key must have the “Secure Email” extension OID (1.3.6.1.5.5.7.3.4) as an EKU, and (for email signing):

  • must have the Digital Signature or Non-Repudiation OID’s as a Key Usage. (for email encryption): - must have the Key Agreement or Data Encipherment OID’s as a Key Usage.
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-13 11:58:27

*Thread Reply:* afaik 3 years should not be the problem, since this Apple requirement on that is only for Server Auth not for Client.

MichaelM21 (mike.miller815@yahoo.com)
2019-12-13 12:59:45

*Thread Reply:* Ah ok thanks.. By any chance you have the client requirements outlined by Apple? Obviously I have the wrong one.

https://support.apple.com/en-us/HT210176

Apple Support
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-13 13:37:08

*Thread Reply:* afaik Client Certs only need to be trustworthy for the device and the Server they using them agianst need to comply https://support.apple.com/en-us/HT210176 and also trustworthy to the device

Apple Support
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2019-12-19 08:08:30

*Thread Reply:* did you find the problem?

MichaelM21 (mike.miller815@yahoo.com)
2019-12-19 13:46:09

*Thread Reply:* No not yet. Still investigating

Doug316 (dougwill316@gmail.com)
2019-12-13 06:20:58

@Doug316 has joined the channel

Phil Hackett (phil.hackett83@gmail.com)
2019-12-16 12:23:49

For anyone that is using SCEP profiles with an internal Microsoft CA, how do you handle manual certificate revocation?

Our certcheckjob is showing 1000’s certs in a ‘Manual Revocation state’. According to MI support there is no mechanism for SCEP to communicate revocation back to the Microsoft CA. So they must be manually revoked on the CA and will be purged from Core DB during the next certcheckjob run.

Our PKI team doesn’t want to revoke thousands of certs on their CA. They fear it will severely impact CA / CRL checking performance.

Peter Mohr (pm@conscia.com)
2019-12-16 12:30:34

*Thread Reply:* @Phil Hackett they are right in that revoking certs will make the CRL grow. Office365 just recently "finally" documented that 20mb and 10seconds are your limits for CRL in Azure... This would be around 400,000 certs....

Peter Mohr (pm@conscia.com)
2019-12-16 12:31:43

*Thread Reply:* BUT never issue certs without a procedure for revoking them again... you also don't print paper with your password and hand them out

Phil Hackett (phil.hackett83@gmail.com)
2019-12-16 13:13:44

*Thread Reply:* Thanks @Peter Mohr . Good info regarding the CRL limits. We’re looking at using API’s to automate certificate revocation on CA side.

Peter Mohr (pm@conscia.com)
2019-12-16 13:14:34

*Thread Reply:* https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started

docs.microsoft.com
Keith Metzger (kmetzger@christianacare.org)
2019-12-23 16:46:23

Hi everyone! Question about MobileIron and a new implementation of Android Enterprise… We have a few apps that we deploy to Android users by downloading the .apk from the Google Play store and importing into the MobileIron Apps@Work catalog. We are now implementing Android Enterprise and trying to use the managed Google Play store, but when we try to add the app, it gives an error stating that the app already exists. I’m hesitant to delete the .apk as I think it will start removing the app from the devices. We have a ticket open with MI already, but I wanted to see if anyone has encountered this before. Thanks!

Jason Bayton (jason@bayton.org)
2019-12-23 16:59:07

*Thread Reply:* This isn't really a good approach to app management.. without deleting the apps I'm not sure you'll be able to do too much. Perhaps create a new space and properly separate AE from legacy? I've not touched MI for a bit though so @NicolasR any tips?

NicolasR (raison_nicolas@me.com)
2019-12-23 17:31:43

*Thread Reply:* On Core spaces can do the job. AE must be on the global space

Keith Metzger (kmetzger@christianacare.org)
2019-12-23 21:00:07

*Thread Reply:* We’re on Core but not utilizing spaces. Can you send me a link to the documentation?

Phil Burk (philburk@mac.com)
2020-01-09 16:16:23

MI cloud down for others?

Mark Vonk (mark.vonk@dahvo.com)
2020-01-09 16:25:53

*Thread Reply:* Which one are you on? Just got a message NA2 is having issues.

NicolasR (raison_nicolas@me.com)
2020-01-10 12:51:48

*Thread Reply:* @Phil Burk You should subscribe to updates: https://trust.mobileiron.com Yesterday there was an outage on NA2 yes.

status.mobileiron.com
Phil Burk (philburk@mac.com)
2020-01-11 20:51:14

*Thread Reply:* @Mark Vonk customer is on na2

iMZ (mark_zimmermann@me.com)
2020-01-10 17:56:52

Did mobile iron support user enrollment on iOS 13 ?

Marc van der Kooy (marc.vanderkooy@gmail.com)
2020-01-10 18:03:53

*Thread Reply:* not yet afaik. Only JAMF and Intune(partially)

Peter Mohr (pm@conscia.com)
2020-01-11 13:41:11

*Thread Reply:* and Workspace ONE

Phil Burk (philburk@mac.com)
2020-01-11 20:50:43

@NicolasR thank you

Julian Brennan (julian.brennan@m2k.com.au)
2020-01-13 03:02:57

@Julian Brennan has joined the channel

TGR (tgr@twise.dk)
2020-01-13 11:04:48

@TGR has joined the channel

TGR (tgr@twise.dk)
2020-01-13 11:07:28

Android Enterprise related: Is it possible to enroll a work managed device using a QR code with a token instead of using a user (like in MobiControl, Google and Intune)? If so, where do I find the token to add to the QR code?

Phil Hackett (phil.hackett83@gmail.com)
2020-01-13 11:23:25

*Thread Reply:* It’s definitely possible using the MobileIron Provisioner app. Just download it from the Play Store and you can create QR code’s for enrolling Work Managed devices.

Phil Hackett (phil.hackett83@gmail.com)
2020-01-13 11:24:05

*Thread Reply:* https://play.google.com/store/apps/details?id=com.mobileiron.client.android.nfcprovisioner&hl=en|https://play.google.com/store/apps/details?id=com.mobileiron.client.android.nfcprovisioner&hl=en

play.google.com
TGR (tgr@twise.dk)
2020-01-13 11:35:51

*Thread Reply:* I've already downloaded the Provisioner app - It's from that app, I'm prompted for a token (and host name or user name), but I don't know where to find it in the console?

NicolasR (raison_nicolas@me.com)
2020-01-13 11:36:21

*Thread Reply:* Are you on Mobileiron Cloud or Core?

NicolasR (raison_nicolas@me.com)
2020-01-13 11:36:30

*Thread Reply:* Tokens are for Cloud only

TGR (tgr@twise.dk)
2020-01-13 11:36:32

*Thread Reply:* cloud

NicolasR (raison_nicolas@me.com)
2020-01-13 11:36:47

*Thread Reply:* Ok it’s the “bulk enrollment” menu

NicolasR (raison_nicolas@me.com)
2020-01-13 11:37:05

*Thread Reply:* Then you create your CSV and it creates a unique token for you

TGR (tgr@twise.dk)
2020-01-13 11:37:37

*Thread Reply:* So you have to know which devices will enroll first?

TGR (tgr@twise.dk)
2020-01-13 11:38:44

*Thread Reply:* are you talking about the bulk enrollment part of the provisioner app?

TGR (tgr@twise.dk)
2020-01-13 11:39:09

*Thread Reply:* or is there somewhere on the dashboard/console, where I can find it?

NicolasR (raison_nicolas@me.com)
2020-01-13 11:39:12

*Thread Reply:* Bulk enroll is to provision devices based on a S/N or IMEI yes

NicolasR (raison_nicolas@me.com)
2020-01-13 11:39:47

*Thread Reply:* But token is not required

NicolasR (raison_nicolas@me.com)
2020-01-13 11:40:07

*Thread Reply:* You can ask for credentials and depending on options it can be a Pin or password

TGR (tgr@twise.dk)
2020-01-13 11:40:09

*Thread Reply:* ahh - ok. So MI needs to know the device before accepting the token within the QR when enrolling?

TGR (tgr@twise.dk)
2020-01-13 11:41:17

*Thread Reply:* This unfortunately makes it a bit more cumbersome than the competition Intune and MobiControl 😞

TGR (tgr@twise.dk)
2020-01-13 11:42:32

*Thread Reply:* For some of my setups, it makes good sense to have devices that aren't related to one particular user - Rugged devices and kiosk devices..

TGR (tgr@twise.dk)
2020-01-13 11:43:05

*Thread Reply:* where do I create the CSV to obtain the token from?

TGR (tgr@twise.dk)
2020-01-13 11:44:30

*Thread Reply:* ahh - I think I found the Bulk enrollment tab and have downloaded the csv template.

NicolasR (raison_nicolas@me.com)
2020-01-13 11:46:39

*Thread Reply:* So no, MobileIron does NOT need to know the device before

NicolasR (raison_nicolas@me.com)
2020-01-13 11:47:00

*Thread Reply:* We just need to know if you want avoid any user prompt and enroll the device with only the QRcode

NicolasR (raison_nicolas@me.com)
2020-01-13 11:47:53

*Thread Reply:* Basically if you can share the use case you try to achieve we can see how to solve it 😉

TGR (tgr@twise.dk)
2020-01-13 11:51:06

*Thread Reply:* he he - thanks! I just want to be able to enroll the devices into kiosk mode with as little as possible user interaction. Normally I'd just add an enrollment token into the QR code and the management system will figure out which tenant to send the device to and which configuration might need to be applied.

TGR (tgr@twise.dk)
2020-01-13 11:55:00

*Thread Reply:* I was expecting to be able to point at a particular device group from a given token, but I still need to figure out where to generate/find the token to add to the QR (if this is the way to achieve this in MI) 🙂

TGR (tgr@twise.dk)
2020-01-13 11:56:39

*Thread Reply:* The use case would be decentral staging of devices that have been shipped directly to a depot or warehouse and the local IT should be able to enroll the devices by a scan of a barcode.

TGR (tgr@twise.dk)
2020-01-13 11:57:19

*Thread Reply:* I guess it should be the same token as used when doing zero touch as the json is pretty much the same 😉

NicolasR (raison_nicolas@me.com)
2020-01-13 13:30:04

*Thread Reply:* You should use a “technical” user account where all your warehouse devices are associated to. These devices will have a QRCode with the username and password for this account

NicolasR (raison_nicolas@me.com)
2020-01-13 13:30:56

*Thread Reply:* Important to note is if you are using Android enterprise, check the “device account” setting in the user account settings. This will avoid being limited to 10 devices per user account

TGR (tgr@twise.dk)
2020-01-14 09:02:22

*Thread Reply:* So I can't use a token instead of a user and PW? Do I need to have the username and pw inside the QR code?

TGR (tgr@twise.dk)
2020-01-14 10:51:59

*Thread Reply:* In that case, the user staging the device will always need to know the password of the 'technical user'?

Cherish Dickey (dickey_cherish@bah.com)
2020-01-13 23:05:33

Has anyone attempted to customize the status info field within M@W for iOS? I would like to add the actual reasons but can’t find where to edit it within Core.

Kiran Patel (kiran@kiranpatel.net)
2020-01-14 15:27:38

*Thread Reply:* Haven't tried in a while but I believe this may be in the event center?

Cherish Dickey (dickey_cherish@bah.com)
2020-01-14 15:29:25

*Thread Reply:* Yeah, I tried event center and that seems to only send the info via a Push notification, it doesnt populate this section.

Wannes De Boodt (wannesdeboodt@gmail.com)
2020-01-14 08:00:48

@Wannes De Boodt has joined the channel

Tobias (tobias.gruenewald@ebf.com)
2020-01-14 10:56:50

According to KB article this was "expected for late 2019". Well, it is 2020 now and the article was not yet updated. Would be great to get some news regarding this. (https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TOVjSAO)

} Mark Zimmermann (https://mobilxperts.slack.com/team/UHM631DPW)
NicolasR (raison_nicolas@me.com)
2020-01-14 11:26:49

*Thread Reply:* Q2

👍 Phil Burk
Almar Diehl (almar.diehl@blaud.com)
2020-01-16 14:39:41

Well Apple finally communicated a date after which new and updated apps using UIWebView API’s will no longer be accepted in the AppStore. This means that companies using Web@Work (and possibly Docs@Work) will need to start planning a migration to WkWebView and Per-App VPN.

https://developer.apple.com/news/?id=12232019b

developer.apple.com
👍 Mark Vonk, Sebastian, Wolfgang Bauer, Jason, Adrian Patrascu
NicolasR (raison_nicolas@me.com)
2020-01-17 10:17:26

adding to this 👆 we are working on making Tunnel available for these usage exclusively to Gold licensed customers - Currently officially it’s still a “per-customer” request but soon it will certainly change

👍 Almar Diehl, Adrian Patrascu
macbentosh (benbergthold@gmail.com)
2020-01-17 17:13:45

how can we use outlook iOS with mobileiron?

Kiran Patel (kiran@kiranpatel.net)
2020-01-17 19:28:59

*Thread Reply:* can you be more specific? with O365, with or without sentry, just configs, etc?

Tinus (freewheelzgroningen@gmail.com)
2020-01-21 15:39:49

Is it correct that within MI Cloud, when you make use of managed playstore apps in an AE Kiosk setup, those apps are not automatically updated if there is a new version available in the Playstore ? As long as the device is in Kiosk the app is not updated, but when released from Kiosk there is an upgrade notice for that app.

NicolasR (raison_nicolas@me.com)
2020-01-22 09:25:59

*Thread Reply:* IMHO this only applies to MobileIron Go

Balaji Arumugam (BArumugam.CAI@transitchicago.com)
2020-01-21 16:48:23

@Balaji Arumugam has joined the channel

Woody (eric.woodland@trust.tc)
2020-01-24 20:25:50

What is the proper means to deploy an Exchange Config driving OAuth for the Apple Mail client in Core?

🤔 NicolasR
NicolasR (raison_nicolas@me.com)
2020-01-25 15:11:40

*Thread Reply:* Don’t get the point sorry

Mark Vonk (mark.vonk@dahvo.com)
2020-01-26 09:50:18

*Thread Reply:* Create an exchange config as per usual but set authentication to oAuth

👍 Woody
Woody (eric.woodland@trust.tc)
2020-01-27 16:10:59

*Thread Reply:* @Mark Vonk Do you know if Apple ever incorporated a means to deploy an Exchange config, but only with Mail or Calendar or Contacts enabled once it installs?

Mark Vonk (mark.vonk@dahvo.com)
2020-01-27 17:35:51

*Thread Reply:* Yes, since iOS 13.

See: https://developer.apple.com/documentation/devicemanagement/exchangeactivesync

Check the EnableContacts, etc. properties

:the_horns: Woody
Woody (eric.woodland@trust.tc)
2020-01-27 17:45:08

*Thread Reply:* Nice @Mark Vonk - I had a brief recollection of this feature actually coming to life (since we had asked about it dating all the way back to iOS 9). Oh, happy day 🙂

NicolasR (raison_nicolas@me.com)
2020-01-27 18:06:47

*Thread Reply:* ==> CORE 10.6

:the_horns: Woody
Woody (eric.woodland@trust.tc)
2020-01-27 18:27:05

*Thread Reply:* @NicolasR I show 10.5.1.0 GA. Is 10.6 in Beta?

NicolasR (raison_nicolas@me.com)
2020-01-27 19:51:39

*Thread Reply:* March 4th for GMRC is the target

👍 Woody
Woody (eric.woodland@trust.tc)
2020-01-27 17:10:48

MobileIron MTD - What does it do for iOS Mail in terms of Phish detection and action?

Paul Troisi (ptroisi@troymobility.com)
2020-01-27 20:00:44

*Thread Reply:* Hey Eric, HNY! Hope things are well with you. Depends on a couple of factors including whether you want to take action on the device or you want MI to perform remediation. When you enable local VPN capabilities in Phishing Threats in the ZConsole, it also maps back to the Site Insight Threat Policy where you can perform either device actions or set the remediation in the MDM Action. You can remove, block, quarantine or wipe if you would like. You can also block known phishing URL's at the device level if needed. You want to take a look?

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2020-01-27 21:08:17

*Thread Reply:* @Paul Troisi is this with updated phishing detection with their VPN capabilities or with the content blocker integration? I haven't looked at this in 6 months or so

Paul Troisi (ptroisi@troymobility.com)
2020-01-27 21:10:29

*Thread Reply:* Yes, with their VPN on activation, as well as using their own VPN on the device.

👍 Woody
Woody (eric.woodland@trust.tc)
2020-01-27 21:56:44

*Thread Reply:* @Paul Troisi - Nice! I’ll give you a shout tomorrow. If we’re able to perform comprehensive remeditation on the device (before a user has time to tap/click into a phish attempt) this could be worth its weight 🙂

Kiran Patel (kiran@kiranpatel.net)
2020-01-28 21:57:25

*Thread Reply:* Any docs on the help site about this?

Woody (eric.woodland@trust.tc)
2020-01-29 18:36:58

*Thread Reply:* @Kiran Patel I’m gonna hop into the ZConsole and will look. If not there, @Paul Troisi may be able to scour their help site.

MichaelM21 (mike.miller815@yahoo.com)
2020-01-28 09:10:31

Email+ for Android Enterprise - Signature! There is $Default$ - where can this be changed? Can I use other variables like $email$ or $first_name$ in the config for the signature?

NicolasR (raison_nicolas@me.com)
2020-01-28 11:00:15

*Thread Reply:* Yup you can, everything is in the documentation for the key value pair

MichaelM21 (mike.miller815@yahoo.com)
2020-01-28 12:48:28

*Thread Reply:* Well, I have looked in the Email+ documentary, but not really a lot of infos there how to configure the default signature for AE! Key value pairs are not relevant for AE! Maybe we are talking about different docs.

NicolasR (raison_nicolas@me.com)
2020-01-28 18:03:23

*Thread Reply:* Ok so I was more thinking on iOS side. So for AE you’re right, not required to add KVP, but definitely the standard variables should work as you mentioned

🙏 MichaelM21
MichaelM21 (mike.miller815@yahoo.com)
2020-01-28 18:05:32

*Thread Reply:* 👍 cool I will test it..

Pär (par.rasmuson@gmail.com)
2020-01-29 13:55:55

@Pär has joined the channel

Melkon Torosyan (melkon.torosyan@sbb.ch)
2020-01-29 14:08:11

@Melkon Torosyan has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-01-30 15:40:22

@Mikey2000 has joined the channel

Christian (christian.jucker@intellec.ch)
2020-02-09 15:24:07

@Christian has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-02-11 18:30:27

Anyone using Core and Sentry on XenServer virtualization?

ottseba (ottsebadm@gmail.com)
2020-02-12 10:15:16

*Thread Reply:* Tried several times with some customers… Not a good idea 😉 And not officially supported

Mikey2000 (mscottscranton079@gmail.com)
2020-02-12 15:07:41

*Thread Reply:* Thank you! ✌️

👍 ottseba
Denis MICHEL (dmi@itsibelem.com)
2020-02-13 14:31:46

@Denis MICHEL has joined the channel

Thomas TERRIEN (tte@itsibelem.com)
2020-02-13 14:35:50

@Thomas TERRIEN has joined the channel

gregos000 (gsa@itsibelem.com)
2020-02-13 14:49:11

@gregos000 has joined the channel

Yohann MORISSEAU (ymo@itsibelem.com)
2020-02-14 14:37:26

@Yohann MORISSEAU has joined the channel

Anders Hermansson (anders.hermansson@techstep.se)
2020-02-17 13:07:37

@Anders Hermansson has joined the channel

Phil Hackett (phil.hackett83@gmail.com)
2020-02-19 08:35:32

The Mobile@Work app was pulled from the Google Play Store today. No ETA from MI on when it will be back....

👍 Adrian Patrascu
😩 Wolfgang Bauer, Mikey2000, Melkon Torosyan
Adrian Patrascu (adrian.patrascu88@gmail.com)
2020-02-19 08:58:16

*Thread Reply:* Thank you Phil for letting us know. I was also checking this in the morning and was surprised to see this is not available.

Melkon Torosyan (melkon.torosyan@sbb.ch)
2020-02-19 11:56:38

*Thread Reply:* May MobileIron is forcing the Core-2-Cloud migration. 🙂

🤣 Phil Hackett, Mikey2000
Melkon Torosyan (melkon.torosyan@sbb.ch)
2020-02-19 12:26:28

*Thread Reply:* I am almost sure, there was a Violation of Repetitive Content policy (Mobile@Work and MobileIron Go). We had this problem a few weeks ago with our Enterprise Apps. It was taken about 24 hours to get them back to Managed Play Store. Reason:- We maintain 3 apps for 3 different environments (test environment, integration environment, production environment). But If you publish your Enterprise apps with iframe, then you can bypass the problem, because they are permantently private marked and will only scanned for malware. Sure, that is not a solution for MobileIron, but may for somebody here.

Mark Vonk (mark.vonk@dahvo.com)
2020-02-19 12:35:16

*Thread Reply:* It is actually an issue with the Phone Call logs permission the M@W cliënt claims. It is not allowed for regular apps, but MDM clients are exempt after some kind of waiver. Apparently the app was withdrawn by Google despite the waiver. Google is already working on it to get it back.

👍 Phil Hackett, NicolasR, Adrian Patrascu
NicolasR (raison_nicolas@me.com)
2020-02-20 02:19:24

*Thread Reply:* @Melkon Torosyan we have a much more efficient way to move customers over to cloud without requiring re-enrollment so 😉 As Mark said, it was a mistake from Google Play team and Google AE team have worked with them to restore our app. By the way we had to change the version number as per Google requirement

👍 Melkon Torosyan
Adrian Patrascu (adrian.patrascu88@gmail.com)
2020-02-20 05:03:14

*Thread Reply:* Hi, this seems to be resolved at this time: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TUgVSAW 🙂.

NicolasR (raison_nicolas@me.com)
2020-02-20 05:05:22

*Thread Reply:* It is yes indeed

Mikey2000 (mscottscranton079@gmail.com)
2020-02-19 10:59:30

We use AEWP devices with MI Core. We deploy an Inhouse App via Google Play to these devices. The app needs to transfer files to a backend server, which sometimes can take up to one hour. No If the screen lock comes active (set via Security Policy) the app loses the connection. Is that normal? When the screen lock kicks in, is the network connection within the work profile dead? Can I control this somehow?

JeroenK (j.kruit@zetacom.nl)
2020-02-19 12:28:20

*Thread Reply:* You might check wether the app is excluded from battery optimization. From android 6 ( i think ) doze mode or app standby might put apps in deepsleep if it uses too much battery power.

👍 Mikey2000
JeroenK (j.kruit@zetacom.nl)
2020-02-19 12:28:23

*Thread Reply:* https://developer.android.com/training/monitoring-device-state/doze-standby

Android Developers
✔️ AJ
Mikey2000 (mscottscranton079@gmail.com)
2020-02-19 12:52:17

*Thread Reply:* Thanks I will check it out. Sounds like the problem

mahiroux (mhyb.mk@gmail.com)
2020-02-20 17:46:56

We are using Email+ 3.X as email client for the Android Enterprise users. When we click share-point approval workflow link from the email,it opens a blank page without inline text however same link work as desired on the app-connect Email+.Anyone know how to fix this?

Mikey2000 (mscottscranton079@gmail.com)
2020-02-24 19:06:30

Has anyone had a similar issue with uploading a external trusted SSL certificate (pfx format) on Sentry: We have a valid PFX, upload within the Sentry configurations on the Admin Portal works, but uploading the same PFX file within the Sentry System Manager fails with the error (no key or no certificate found)..or something similar. We also tried different browser! Sentry 9.7.2

Ladislav Blazek (ladislav@lblazek.cz)
2020-02-25 18:54:36

*Thread Reply:* Does the pkcs12 file contain full certificate chain?

Mikey2000 (mscottscranton079@gmail.com)
2020-02-25 20:47:59

*Thread Reply:* Yes it does

Mikey2000 (mscottscranton079@gmail.com)
2020-02-25 20:49:03

*Thread Reply:* If we upload the file in the admin portal the whole chain is visible. Also if you install it on a Windows Client. Only Sentry MICS will not accept it.

Ladislav Blazek (ladislav@lblazek.cz)
2020-02-25 21:27:11

*Thread Reply:* I saw similar error in the past with S/MIME certificate and key alias matching. Try to import the cert to Windows machine cert store, then export it with PK and full chain and import that file to MICS.

👍 Mikey2000
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-02-26 07:10:44

*Thread Reply:* Had the same. Converted the cert with openssl. Then it worked.

👍 Mikey2000
Kern Smith (kern.smith@zimperium.com)
2020-02-25 14:48:59

@Kern Smith has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-02-27 15:11:11

Isn’t this the TLS certificate on Core? This is still valid but some users receive this:

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-02-27 15:15:33

*Thread Reply:* Does the Certificate comply to the iOS13 requirements?

Mikey2000 (mscottscranton079@gmail.com)
2020-02-27 15:41:36

*Thread Reply:* Ah so you believe the server certificate which is used for TLS (same as the portal certificate) does not comply with iOS13? If I browse with Safari to Core from the device it should also not work regarding to your theory, right? (Which works without issues btw)

NicolasR (raison_nicolas@me.com)
2020-02-27 15:45:17

*Thread Reply:* shc.mobileiron.com

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-02-27 15:47:01

*Thread Reply:* No issues with the health checker

Mikey2000 (mscottscranton079@gmail.com)
2020-02-27 16:57:54
NicolasR (raison_nicolas@me.com)
2020-02-28 00:49:57

*Thread Reply:* Might be related

Mirko Bülles (mbulles@mobileiron.com)
2020-03-18 13:28:36

*Thread Reply:* I'm reading up on Cloud R69 there is some client cleanup "Remote service TLS client AUTH certificate weak signature < SHA384 renewal" being done. Not sure if this will also happen in the upcoming Core release.

Mikey2000 (mscottscranton079@gmail.com)
2020-03-02 12:14:48

Was Android Email+ v2.x also pulled from Google Play - can‘t find em and can‘t deploy em only Version 3 is there

Mirko Bülles (mbulles@mobileiron.com)
2020-03-03 10:03:16

Email+v2 should be back again

👍 Mikey2000
iMZ (mark_zimmermann@me.com)
2020-03-06 08:30:36

Does anyone know an overview when to use the profile manager of macOS server and when to use Jampf, MobileIron or something else ?

Thomas B. (tbosboom@apple.com)
2020-03-06 09:26:47

*Thread Reply:* I would not use profile manager in production - think of it as a reference implementation that is great for testing

👍 Peter Mohr
iMZ (mark_zimmermann@me.com)
2020-03-06 11:39:30

*Thread Reply:* Me too, but is there a fact comparison to a professional MDM System ?

Mathieu Beaugrand (beaugrandma@gmail.com)
2020-03-10 21:49:30

*Thread Reply:* Profile Manager is only for testing, as it can’t scale up for production use. Even Apple admit it.

Nico Hermeling (nico.hermeling@outlook.com)
2020-03-06 13:26:19

Hi, has anyone successfully tunneled (MI Tunnel) the HCL Verse app with Android Enterprise Fully Managed with Work Profile and Android 10? The same config is working for Chrome, so it’s not the Tunnel config itself.

Almar Diehl (almar.diehl@blaud.com)
2020-03-06 14:27:22

*Thread Reply:* Yes, both fully managed with work profile and work profile on BYOD.

Ole Daugaard (odaugaard@gmail.com)
2020-03-07 07:08:32

@Ole Daugaard has joined the channel

Viktor Dmitriev (Viktor.Dmitriev@bluecue.de)
2020-03-10 10:46:03

@Viktor Dmitriev has joined the channel

Marlon Ying (mying@mobileiron.com)
2020-03-11 16:30:57

@Marlon Ying has joined the channel

Adrian Patrascu (adrian.patrascu88@gmail.com)
2020-03-17 05:40:13

Hi guys, I am posting this here as I know it will benefit you - When updating Mobile@Work for iOS to 12.2.0 or 12.2.1, a small percentage of devices lose their registration status in Mobile@Work - KB article: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TWIzSAO. We did not see any cases escalated thus fur to us, but from what I have read, reboots or software updates could trigger this behavior on the device side.

Ala Almaet (ala@alaalmaet.com)
2020-03-17 22:43:54

*Thread Reply:* Mobile@Work 12.2.2 has been released that resolves this issue.

👍 Woody, Adrian Patrascu
Almar Diehl (almar.diehl@blaud.com)
2020-03-18 08:23:10

*Thread Reply:* The update is nicely on time before the mass upgrade to iOS 13.4 starts….

👍 Woody, Kiran Patel, Adrian Patrascu
Kiran Patel (kiran@kiranpatel.net)
2020-03-19 17:49:39

does anyone know if MI Core supports iOS account selective syncing through profile such as just contacts and no mail / calendar?

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-19 17:53:19

*Thread Reply:* Nope, not yet supported. I just recently asked our technical presale contact in relation to 10.6 release.

Nico Hermeling (nico.hermeling@outlook.com)
2020-03-19 18:53:20

*Thread Reply:* As far as I know it‘s not in 10.6

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-19 19:06:44

*Thread Reply:* Please raise request to MI if you want to see this implemented in the future. This is imo big oversight fro MI side as support of that feature will be perfect for Email+ users struggling with contacts sync to native contacts.

👍 Woody, Phil Burk, Kiran Patel
Woody (eric.woodland@trust.tc)
2020-03-19 19:31:23

*Thread Reply:* Yeah, I was thinking that was going live in 10.6 as well

Woody (eric.woodland@trust.tc)
2020-03-19 19:34:58

*Thread Reply:* I was thinking that that you could create your own XML and use it… like we did for a lot of Dock/Home Screen setups before it made its way into the Core UI

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-19 19:38:37

*Thread Reply:* Depends if you need to include Identity cert via SCEP or not.

👍 Mikey2000
Ladislav Blazek (ladislav@lblazek.cz)
2020-03-19 19:43:48

*Thread Reply:* Anyway, this was one of the first iOS13 features supported by WS1 UEM. In my opinion easy to implement and quick win.

👍 Woody
Woody (eric.woodland@trust.tc)
2020-03-19 20:01:32

*Thread Reply:* Yeah / That feature could have been used SO many times for projects I was on in the past.

Nico Hermeling (nico.hermeling@outlook.com)
2020-03-19 21:00:48

*Thread Reply:* It is even implemented in Intune... We have already raised this to MI, because some of our customers need this

👍 Woody, Phil Burk, Jonas Hofer
Mark Vonk (mark.vonk@dahvo.com)
2020-03-20 09:53:07

*Thread Reply:* It was indeed set for 10.6, but fell off for some reason. The next version of Core and Cloud are supposed to have it as these are focused on iOS / macOS

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-03-20 20:16:39

*Thread Reply:* This very disappointing. Come on #mobileiron you can do better than that!

Kiran Patel (kiran@kiranpatel.net)
2020-03-23 00:36:57

*Thread Reply:* @Mark Vonk does this mean Cloud doesn’t have it either?! Wow what a big miss. I’ll mention it on my call with them on Tuesday

Mark Vonk (mark.vonk@dahvo.com)
2020-03-23 07:07:13

*Thread Reply:* Correct, neither in Cloud yet.

Kiran Patel (kiran@kiranpatel.net)
2020-03-26 12:57:10

*Thread Reply:* pushed this up to MI mgmt that this is critical feature request for our company. We would like to sync just contacts and drive calendar / mail to Outlook app. does anyone have advise on how to try this through a custom payload but embed the scep cert as @Ladislav Blazek alluded to?

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-26 13:11:41

*Thread Reply:* @Kiran Patel this could help you https://mosen.github.io/profiledocs/payloads/common/exchange.html - it is possible to associate an SCEP credential with an Exchange configuration via the PayloadCertificateUUID key. You need to extract that reference from mifs database.

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-26 13:14:43

*Thread Reply:* I thing the easiest way is to use Apple Configurator / Profile Manager to create Exchange profile with fake SCEP config and then replace reference to real SCEP payload.

👍 Woody, Mikey2000
Kiran Patel (kiran@kiranpatel.net)
2020-03-26 13:24:32

*Thread Reply:* thank you - thats what we are trying. was trying to get the formatting of those parameters for the xml as even apple documentation has the details but not he format

Kiran Patel (kiran@kiranpatel.net)
2020-03-26 13:25:18

*Thread Reply:* wish @John Zmyslowski and I luck 🙂

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-26 13:25:55

*Thread Reply:* @Kiran Patel Actually I am working on it right now as well as we have request from our customer for the same.

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2020-03-26 13:26:16

*Thread Reply:* lets keep each-other updated :)

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2020-03-26 13:26:48

*Thread Reply:* I also see a cert pw and cert payload when I export the exchange config from MI

Kiran Patel (kiran@kiranpatel.net)
2020-03-26 13:27:30

*Thread Reply:* "certPassword"

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-27 08:07:22

*Thread Reply:* @Kiran Patel so far no luck. Unfortunately SCEP payload must be part of the same configuration profile as Exchange payload to be able to reference it…

Kiran Patel (kiran@kiranpatel.net)
2020-03-27 12:57:14

*Thread Reply:* @Ladislav Blazek We are close but appear to be having a variable substition issue

Kiran Patel (kiran@kiranpatel.net)
2020-03-27 12:57:24

*Thread Reply:* not sure what format $email$, etc needs to be in

Kiran Patel (kiran@kiranpatel.net)
2020-03-27 12:57:42

*Thread Reply:* if i hardcode the email in the profile appears to honor it but haven't tried it with scep issuance

Kiran Patel (kiran@kiranpatel.net)
2020-03-27 12:58:05

*Thread Reply:* with a hard coded profile I did get the oauth auth part working with contact only honored

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-27 13:27:56

*Thread Reply:* <?xml version=“1.0” encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=“1.0”> <dict> <key>PayloadContent</key> <array> <dict> <key>EmailAddress</key> <string>$EMAIL$</string> <key>EnableCalendars</key> <false/> <key>EnableCalendarsUserOverridable</key> <false/> <key>EnableContacts</key> <true/> <key>EnableContactsUserOverridable</key> <false/> <key>EnableMail</key> <false/> <key>EnableMailUserOverridable</key> <false/> <key>EnableNotes</key> <false/> <key>EnableNotesUserOverridable</key> <false/> <key>EnableReminders</key> <false/> <key>EnableRemindersUserOverridable</key> <false/> <key>Host</key> <string>misentry.test.local</string> <key>MailNumberOfPastDaysToSync</key> <integer>7</integer> <key>OAuth</key> <false/> <key>PayloadCertificateUUID</key> <string>65EF21E0-5F39-461E-AB63-ED00D2D4BB45</string> <key>PayloadDescription</key> <string>Configures an Exchange account</string> <key>PayloadDisplayName</key> <string>Penta Contacts Only</string> <key>PayloadIdentifier</key> <string>com.apple.eas.account.D0F55C47-4633-42F1-8651-96E05A017DA0</string> <key>PayloadType</key> <string>com.apple.eas.account</string> <key>PayloadUUID</key> <string>D0F55C47-4633-42F1-8651-96E05A017DA0</string> <key>PayloadVersion</key> <integer>1</integer> <key>PreventMove</key> <true/> <key>SMIMEEnabled</key> <false/> <key>SMIMEEncryptionEnabled</key> <false/> <key>SMIMESigningEnabled</key> <false/> <key>SSL</key> <true/> <key>UserName</key> <string>TEST\$USERID$</string> <key>disableMailRecentsSyncing</key> <true/> </dict> </array> <key>PayloadDisplayName</key> <string>Exchange Contacts Only</string> <key>PayloadIdentifier</key> <string>MBP-LB-S4U-9.FF125D06-169C-4ED7-80BC-3BC537D65084</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>2143B430-F9F1-49BA-8642-A2832A4DF3D4</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-27 13:29:02

*Thread Reply:* @Kiran Patel that worked for me for basic auth.

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-27 13:31:05

*Thread Reply:* $EMAIL$ and $USERID$ is correctly substituted by the real values for the user

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-27 13:34:00

*Thread Reply:* But PayloadCertificateUUID part don’t work as the SCEP payload is not part of this custom profile. We need something like $CERTALIAS:<scepprofile_name>$ to make this working.

Kiran Patel (kiran@kiranpatel.net)
2020-03-30 17:01:39

*Thread Reply:* do you think the scep appsetting uuid suffice?

Ladislav Blazek (ladislav@lblazek.cz)
2020-03-30 17:11:54

*Thread Reply:* @Kiran Patel as I said unfortunately no. SCEP payload must be included in the same configuration profile.

Kiran Patel (kiran@kiranpatel.net)
2020-03-30 20:37:41

*Thread Reply:* @Ladislav Blazek the SCEP cert itself or reference to the existing scep config that's already in core? that's the part where I'm getting lost comparing the exchange config out of MI and looking at the apple documentation

Kiran Patel (kiran@kiranpatel.net)
2020-03-31 02:02:40

*Thread Reply:* I think I follow what you're saying now... I recall when I tested android enterprise around 2.5 years ago and used it in the AE configs

Kiran Patel (kiran@kiranpatel.net)
2020-03-31 02:02:48

*Thread Reply:* too bad we can't enbed that in the <certificate> parameter

Mikey2000 (mscottscranton079@gmail.com)
2020-03-20 07:20:50

Can anyone tell me why the automatic login is enabled when using the VM console, whats the purpose? Can this be disabled?

Mark Vonk (mark.vonk@dahvo.com)
2020-03-21 19:19:25

*Thread Reply:* Automatic login? What appliance? Typically you should perform an Enable command first to perform any configuration. Without Enable you can only view certain information.

Mikey2000 (mscottscranton079@gmail.com)
2020-03-23 17:21:06

*Thread Reply:* MobileIron Core. If I connect via VMware console it always performs an automatic login and I have no idea why and where this comes from! Connecting via SSH of course doesn’t

Mikey2000 (mscottscranton079@gmail.com)
2020-03-23 17:24:15

*Thread Reply:* Also same for Sentry:

Mikey2000 (mscottscranton079@gmail.com)
2020-03-25 06:12:09

*Thread Reply:* Nobody has seen this?

dr.ramanansv (dr.ramanansv@gmail.com)
2020-03-21 12:40:31

@dr.ramanansv has joined the channel

Nick (nickdiaz@gmail.com)
2020-03-23 14:50:51

Curious what everyone does about setting limits on incoming maximum attachment size for Email+. Default is 10 MB unless you change the KVP. Best practice recommendations are to match Exchange, but doing so may increase the likelihood of a failed attachment delivery.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-03-24 06:48:19

*Thread Reply:* normally we set it to match the exchange limits, to get continuous usability to desktops. With LTE and a good carrier we normally dont see failed delivery often.

Woody (eric.woodland@trust.tc)
2020-03-23 16:48:21

Curious / Has anyone tested MI Access with MacOS recently? Does the Tunnel and password-less SSO now work properly? About a year ago (when I last tested) Tunnel wasn’t able to behave how it should have and MacOS was not supported as a result.

AJ (ajorgensen@mobileiron.com)
2020-03-23 22:09:54

*Thread Reply:* Works fine

❤️ Woody
NicolasR (raison_nicolas@me.com)
2020-03-24 08:21:34

*Thread Reply:* Since Packet tunnel (last major update of tunnel - summer 2019), macOS tunnel is good. Chrome and other apps like teams can now be tunneled to provide password less experience. I use it daily on my work MacBook and no pain anymore.

❤️ Woody
Woody (eric.woodland@trust.tc)
2020-03-24 14:39:15

*Thread Reply:* @NicolasR wonderful! I wanted it to work so bad when I was testing it (vs WS1 Access)

Woody (eric.woodland@trust.tc)
2020-04-06 15:10:51

*Thread Reply:* @NicolasR can you confirm that this only works on Catalina?

NicolasR (raison_nicolas@me.com)
2020-04-06 15:12:06

*Thread Reply:* @Woody not as far as I know, our company switched to Packet tunnel even we still have Mojave devices in the field

Woody (eric.woodland@trust.tc)
2020-04-06 19:31:07

*Thread Reply:* I was working on a PoV last week with MacOS and came across this (https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TQKLSA4)

NicolasR (raison_nicolas@me.com)
2020-04-06 19:36:11

*Thread Reply:* Oh right this is something that I forgot! This is what made me upgrade to Catalina

NicolasR (raison_nicolas@me.com)
2020-04-06 19:36:22

*Thread Reply:* Apple have still not fixed?

Woody (eric.woodland@trust.tc)
2020-04-06 19:38:36

*Thread Reply:* Not on Mojave. I have a MBP that’s on Catalina, but it’s bound to JAMF

Woody (eric.woodland@trust.tc)
2020-04-06 19:38:48

*Thread Reply:* Might need to spin-up a VM

NicolasR (raison_nicolas@me.com)
2020-04-06 19:43:00

*Thread Reply:* As far this issue happened to me I was running Tunnel with App-Proxy, different than Packet-Tunnel. Maybe packet-gunnel doesn’t have this apple bug

👍 Woody
Woody (eric.woodland@trust.tc)
2020-04-06 20:11:31

*Thread Reply:* k! Let me flip it over to Packet Tunnel and see if that has any bearing on the outcome

Woody (eric.woodland@trust.tc)
2020-04-06 21:49:32

*Thread Reply:* @NicolasR Packet Tunnel doesn’t seem to have any different result. Tunnel/VPN profile are installed, but it doesn’t connect on-demand

Woody (eric.woodland@trust.tc)
2020-04-06 21:49:37

*Thread Reply:*

NicolasR (raison_nicolas@me.com)
2020-04-06 22:36:17

*Thread Reply:* @Woody with packet tunnel don’t use safari domains as it’s different. Try with match domains.

Also.... please don’t test macOS on CORE... It’s a bad idea....! Unless customer can’t be on CLOUD for whatever good reason (government/ministry,...) use Cloud!

👍 Woody
NicolasR (raison_nicolas@me.com)
2020-04-06 22:36:50

*Thread Reply:* Our Cloud product is good for macOS management, not Core to be fair

👍 Woody
Woody (eric.woodland@trust.tc)
2020-04-07 04:00:43

*Thread Reply:* Unfortunately, we’re going to be w/ CORE for quite some time. Just trying to get as much ROI from the product as possible. It’d be really nice to replace JAMF w/ CORE since it’s servicing only one platform.

NicolasR (raison_nicolas@me.com)
2020-04-07 09:36:03

*Thread Reply:* We did that also with a customer here but limitations are huge: • No client auto-registration for DEP devices • Scripts need to be signed - painful • No MIP format support (only PKG which also requires signing) Product on Cloud is so much ahead... Seriously, don’t do that with CORE and work rather on CORE to CLOUD migration for iOS/Android devices, our migration product is so easy and works so well (seriously speaking, don’t see any commercial approach here... it just works!)

👍 Woody
Woody (eric.woodland@trust.tc)
2020-04-07 17:10:00

*Thread Reply:* I totally hear you @NicolasR / Just in a position where what we have is working and we’re focusing $$ on other areas/efforts. What we may do is try to spin-up Cloud in parallel, but for now everything needed (we’re basic, Bro) is good in Core.

NicolasR (raison_nicolas@me.com)
2020-04-07 17:13:13

*Thread Reply:* 👍

Nico Hermeling (nico.hermeling@outlook.com)
2020-04-02 17:13:02

Has anyone preconfigured the Microsoft Office iOS apps (new Office Hub, Word, Excel) with the username on Core 10.5.1? I’ve created a managed app config based on this MI article: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxCHCA0

Here’s my plist-file: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;IntuneMAMUPN&lt;/key&gt; &lt;string&gt;$USER_CUSTOM3$&lt;/string&gt; &lt;/dict&gt; &lt;/plist&gt; I’ve tried UPN ($USER_UPN$) as well. The config is applied to my device and the apps are installed, but no luck with preconfigurations. Any idea?

Ladislav Blazek (ladislav@lblazek.cz)
2020-04-02 20:55:30

*Thread Reply:* This managed config is not meant for pre-configuration of the account. IntuneMAMUPN will just mark the corresponding corporate account as managed inside Microsoft apps to distinguish it from personal.

Nico Hermeling (nico.hermeling@outlook.com)
2020-04-02 21:40:32

*Thread Reply:* Thanks. So it‘s not possible to pre-configure Office apps with MobileIron?

Ladislav Blazek (ladislav@lblazek.cz)
2020-04-02 22:29:14

*Thread Reply:* It is possible to preconfigure Outlook. Then you should be able to see account as available in other Microsoft apps (as they are allowed to share OAuth token in iOS Keychain).

Nico Hermeling (nico.hermeling@outlook.com)
2020-04-03 06:52:26

*Thread Reply:* I know it‘s possible that way, but that‘s not an option for the customer. Thank you

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-04-03 13:56:24

*Thread Reply:* Use MobileIron Access for Autologin ;)

👍 Nico Hermeling
Kiran Patel (kiran@kiranpatel.net)
2020-04-10 14:47:32

*Thread Reply:* For the most seamless experience here’s what we’ve tested and are hoping to roll out soon.

1) push MI Tunnel, Microsoft Authenticator and MS Outlook to devices with iOS Managed App Config to preconfigured. Authenticator will need the vpn tunnel profile associated with it. 2) using MobileIron Access the Auth experience will be completely seamless (iOS managed app Config gets the username and home realm discover done for the O365 tenant). Outlook will flip to MS Authenticator and Ms leverages it almost as an SSO broker app. This also prevents having to attach the vpn tunnel profile to all other apps that does impact their performance a bit (even if you split tunnel) 3) once MS Authenticator has the Auth token and as a result the iOS keychain as Ladislav suggested another MS Office apps share it and no username or pw Auth will he needed. Worst case it flips to MS Authenticator which already maintains user identity even if it needs to Auth again

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-04-14 09:27:41

*Thread Reply:* but keep in mind Authenticator will hand the auth token also to other MS apps you might not want to use or cover as Managed.

Tinus (freewheelzgroningen@gmail.com)
2020-04-03 15:14:18

Hi there, is there a way to open a webclip by default in the Chrome browser on a supervised iOS device using MI, instead of the Safari browser ?

Peter Mohr (pm@conscia.com)
2020-04-03 15:17:50

*Thread Reply:* replace https:// with chromes:// and http:// with chrome:// 🙂

:the_horns: Woody
Tinus (freewheelzgroningen@gmail.com)
2020-04-03 15:55:14

*Thread Reply:* I knew there was something like that, just as for the web@work browser.. Thanks!

Tinus (freewheelzgroningen@gmail.com)
2020-04-06 14:06:13

Hi there again, anybody know if it is possible to place the standard Apps@Work webclip on iOS in a different folder/page thru the HomeScreen Layout configuration in MI Cloud? Standard location is the first page but I would like to place it in a folder on page 3 for instance. With webclips this is possbile by adding a webclip, and then change the location in the Homescreen layout by adding the same webclip/URL. Is there a standard URL for the Apps@Work webclip, besides the certificate that is necessary?

Mikey2000 (mscottscranton079@gmail.com)
2020-04-07 14:16:09

Help@Work setup error when I click on Validate, any ideas? Firewall?

NicolasR (raison_nicolas@me.com)
2020-04-07 16:49:48

*Thread Reply:* CORE version?

Mikey2000 (mscottscranton079@gmail.com)
2020-04-07 17:35:22

*Thread Reply:* 10.6.0.0 - was a FW issue. Teamviewer was blocked!

👍 Woody
NicolasR (raison_nicolas@me.com)
2020-04-07 17:35:33

*Thread Reply:* ok good thanks

Mikey2000 (mscottscranton079@gmail.com)
2020-04-07 17:36:30

*Thread Reply:* 🙏👍

Mikey2000 (mscottscranton079@gmail.com)
2020-04-07 19:09:36

Changed our Web@Work setup to use Tunnel due to the WebView depreciation by Apple - but we have some backend websites which will not work after this change, they still work with the old configuration. Sentry service is <TCP_ANY>. I am trying to figure out the reason - wrong FW rules maybe? Any ideas?

NicolasR (raison_nicolas@me.com)
2020-04-07 20:52:58

https://www.mobileiron.com/en/blog/quickly-enable-your-remote-workforce-with-mobileiron-uem-at-no-cost?utmsource=linkedin&utmmedium=organic-social|https://www.mobileiron.com/en/blog/quickly-enable-your-remote-workforce-with-mobileiron-uem-at-no-cost?utmsource=linkedin&utmmedium=organic-social

Mobileiron.com
🔥 Matt Dermody, Kiran Patel
Matt Dermody (jmdermody@gmail.com)
2020-04-07 21:27:24

*Thread Reply:* Well done!! I may give MI a spin given this.

Matt Dermody (jmdermody@gmail.com)
2020-04-07 21:27:48

*Thread Reply:* I primarily deal with Zebra Android in dedicated device situations. I see that you offer LifeGuard OTA and OEMConfig for MX support.

Matt Dermody (jmdermody@gmail.com)
2020-04-07 21:28:38

*Thread Reply:* Can you also support direct LoB app installs (bypassing Managed Play) for AEDO deployments? And what about File Management capabilities? Can you provision files into specific directories on the devices?

Matt Dermody (jmdermody@gmail.com)
2020-04-07 21:28:54

*Thread Reply:* (Assuming AEDO)

TGR (tgr@twise.dk)
2020-04-08 08:43:21

*Thread Reply:* MI supports direct apk installation, but not silently unfortunately (someone correct me if I’m wrong please).

TGR (tgr@twise.dk)
2020-04-08 08:47:02

*Thread Reply:* There are no file management capabilities unfortunately (again - someone correct me if I’m wrong please), so you’ll have to do with the OEMconfig, where it’s hard to accomplish an install process with a baseline (receiving a baseline config) and different levels (could be warehouses) where other files and configs are needed. At least, I have still to figure out the great method.

Matt Dermody (jmdermody@gmail.com)
2020-04-08 14:47:37

*Thread Reply:* Thanks for the insights! Agreed that, while FileMgr is there in OEMConfig, it is not ideal to have all the configuration settings in a single policy like that. OEMConfig also relies on Managed Configurations which I’m fairly certain would have been affected by the Google Play server outage over the past couple of days. We can’t have that sort of issue in mission critical device deployments.

Matt Dermody (jmdermody@gmail.com)
2020-04-08 14:54:31

*Thread Reply:* Without file management capabilities MI would be DOA for us. We have numerous external config files that we distribute that need to be placed in specific directories on the devices.

NicolasR (raison_nicolas@me.com)
2020-04-07 20:53:20

Stay safe everyone, feel free to leverage MI to face WFH situation for free 😉

Almar Diehl (almar.diehl@blaud.com)
2020-04-08 14:02:22

Has anyone successfully added VPP licenses for an iOS Custom App to MobileIron Core? I have ‘bought’ the VPP licenses for the available custom app but when I try to import the licenses to MI Core I seen an error N/A (AppId: [id of custom app] not found).

NicolasR (raison_nicolas@me.com)
2020-04-08 14:48:25

*Thread Reply:* it works, I have some customers using it and I helped one setting that up last week 😉

✅ Woody, Almar Diehl
Mikey2000 (mscottscranton079@gmail.com)
2020-04-09 18:12:03

WebView deprecation and Docs@Work - with the current release there is no way to enable the new Webview and migrate to Tunnel, right?

NicolasR (raison_nicolas@me.com)
2020-04-09 22:26:25

*Thread Reply:* right

🙏 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-04-09 22:26:40

*Thread Reply:* but deprecation postponed due to covid

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-04-10 06:45:36

*Thread Reply:* Really? Is there an official statement from Apple?

Luiz Nascimento (luizgmn@br.ibm.com)
2020-04-13 22:00:35

Hello Everyone Does anyone know if there is any MobileIron free training ?

Woody (eric.woodland@trust.tc)
2020-04-13 22:26:08

*Thread Reply:* Hello! I do not believe so, but @Russell Mohr or @NicolasR may able to shed more light on the subject.

NicolasR (raison_nicolas@me.com)
2020-04-13 23:49:10

*Thread Reply:* Mobileiron university online is free for our partners and customers

Woody (eric.woodland@trust.tc)
2020-04-14 01:46:07

*Thread Reply:* Ah yes. I was thinking @Luiz Nascimento was alluding to Instructor Led training.

NicolasR (raison_nicolas@me.com)
2020-04-14 09:46:26

*Thread Reply:* We do that locally for partners sometimes with instructor

Luiz Nascimento (luizgmn@br.ibm.com)
2020-04-14 12:55:14

*Thread Reply:* Got it Thanks @Woody and @NicolasR

👍 NicolasR
Mikey2000 (mscottscranton079@gmail.com)
2020-04-15 06:37:15

VIP Notifications for iOS Email+ question - there is a product bulletin with the need of a new Sentry for ENS. My questions: -Is this also relevant for CNS v1 (Cloud Notification Service) -Prerequisites are that VIP notifications need to be enabled - is this real time notifications hence CNS v2? I find nothing in the Email+ guide about VIP notifications. Where do you enable VIP notifications now?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-04-15 07:58:13

vip notifications is a userfeature in email+ app

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-04-15 07:58:48

there are only two options go for cns2 with vip or vip notifications wont work anymore

Mikey2000 (mscottscranton079@gmail.com)
2020-04-15 13:17:52

*Thread Reply:* Ok got it thanks. So CNS v1 will not be impacted by that?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-04-16 09:47:33

*Thread Reply:* vip notifications need cnsv2 to work now. its a new requirement for vip notifications to work. if your users are not using vip notifications, you dont need to implement them the new way. cnsv1 has problems, so it is a good idea to implement v2 regardless of vip notifications: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxdxCAC

Mikey2000 (mscottscranton079@gmail.com)
2020-04-16 15:43:45

*Thread Reply:* Great, thanks!

Alex Durrant (Alex.durrant@hybrit.co.uk)
2020-04-22 08:54:49

@Alex Durrant has joined the channel

John Zmyslowski (John.Zmyslowski@Blackstone.com)
2020-04-22 15:08:58

Hey Everyone. Has anyone seen an issue where certain apps are "stuck" in the state "PromptingForManagement" and the user either never receives the prompt for management or they have already selected "Update" in apps@work? (Core 10.5.1 on prem)

Mikey2000 (mscottscranton079@gmail.com)
2020-04-24 19:05:02

Having an issue with Email+ on iOS: -We use Kerberos Constrained for Exchange -We use the Core CA for issuing the certs

Native client works without issues BUT Email+ will not work - it will bring up a password prompt after the config was loaded. (Promptemailpassword is set to false) I have enabled „show configuration“ and I can see no errors. The user has been issued a cert and it is on the device, also the root cert of the Core CA is on the device. Has anyone any idea what the issue could be?

NicolasR (raison_nicolas@me.com)
2020-04-24 23:13:49

*Thread Reply:* Can you share your config? Did you added apptunnel rules on it? (You should not)

Mikey2000 (mscottscranton079@gmail.com)
2020-04-25 06:41:56

*Thread Reply:* Rookie mistake.. someone imported the wrong root cert! :facepalm::skintone_2:

NicolasR (raison_nicolas@me.com)
2020-04-27 09:18:53

*Thread Reply:* 👍 Always good to look at the config on monday morning after good rest right? 😉

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 05:56:54

Having an issue with a backend site and W@W: Opening the backend site via bookmark works without any problems. Opening the same backend site embedded as a javascript link on a intranet site will not work. Any ideas? Is javascript not supported?

NicolasR (raison_nicolas@me.com)
2020-04-28 09:28:01

*Thread Reply:* Javascript is supported but I know some specific technologies are not supported through Tunnel like Web socket

🙏 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-04-28 09:23:19

FYI, we had to bring down the KB article about the latest iOS vulnerability as per “someone’s” request... Hopefully Google cache is still there...

😳 Woody
👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-04-29 06:20:19

*Thread Reply:* MobileIron mentioned also Microsoft Outlook as an alternative - can Outlook be used with Kerberos Constrained Delegation? I don‘t see any fields in the app to put the SCEP in like with Email+ so I guess not - Update: so I found an article that Sentry is not supported so that answers my question. No KCD without Sentry. Right?

NicolasR (raison_nicolas@me.com)
2020-04-29 07:47:27

*Thread Reply:* @Mikey2000 that’s right

NicolasR (raison_nicolas@me.com)
2020-04-28 09:23:20

https://webcache.googleusercontent.com/search?q=cache:amqrHX_HvW4J:https://www.mobileiron.com/en/blog/apple-mail-rce-exploits-mobileiron-guidance+&cd=1&hl=en&ct=clnk&gl=au

Mobileiron.com
👍 Mikey2000
Woody (eric.woodland@trust.tc)
2020-04-28 15:29:08

Interesting @NicolasR

Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 15:50:54

How do we enable Mobile@Work for already enrolled DEP devices? Mobile@Work was not deployed for DEP devices - we want to do this now. But on some device we receive the message „Application reset, please re-register“ - but that fails because the MDM profile is already installed. What is the normal process here?

NicolasR (raison_nicolas@me.com)
2020-04-28 16:05:51

*Thread Reply:* Core, cloud, iOS or macOS?

Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 16:08:13

*Thread Reply:* Sorry.. Core and iOS

NicolasR (raison_nicolas@me.com)
2020-04-28 16:09:28

*Thread Reply:* Ok, so just push M@W as app to install upon enrollment. It will self-register when user opens it.

Be careful by default the registration windows is 4hours but can be changes in the UI starting Core 10.5+

Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 16:12:55

*Thread Reply:* So you mean it can take up to 4hours until the self-register will work?

NicolasR (raison_nicolas@me.com)
2020-04-28 16:13:18

*Thread Reply:* no

NicolasR (raison_nicolas@me.com)
2020-04-28 16:13:31

*Thread Reply:* user has to open M@W during 4hours window

Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 16:13:38

*Thread Reply:* Ahhh I see

NicolasR (raison_nicolas@me.com)
2020-04-28 16:13:39

*Thread Reply:* unless token expires

NicolasR (raison_nicolas@me.com)
2020-04-28 16:13:59

*Thread Reply:* but 4hours window can be set to higher value

NicolasR (raison_nicolas@me.com)
2020-04-28 16:14:09

*Thread Reply:* up to 1 year 😉

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 16:14:20

*Thread Reply:* 4hours until M@W was pushed or after the DEP enrollment

NicolasR (raison_nicolas@me.com)
2020-04-28 16:14:38

*Thread Reply:* Count down starts when M@W gets installed

Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 16:14:44

*Thread Reply:* Gotcha

Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 16:15:00

*Thread Reply:* Where do I find the setting to change that value?

NicolasR (raison_nicolas@me.com)
2020-04-28 16:19:20

*Thread Reply:* In the CORE MIFS Preferences

NicolasR (raison_nicolas@me.com)
2020-04-28 16:19:33

*Thread Reply:* sorry my CORE is broken at the moment can’t check exactly where...

NicolasR (raison_nicolas@me.com)
2020-04-28 16:20:59

*Thread Reply:* Ah it’s back

Mikey2000 (mscottscranton079@gmail.com)
2020-04-28 16:22:04

*Thread Reply:* Awesome - thank you. 👍👍 helped me out tremendously!

🍻 NicolasR, Mikey2000
Kiran Patel (kiran@kiranpatel.net)
2020-04-29 02:12:10

*Thread Reply:* @John Zmyslowski check this thread. @NicolasR can the 1 year extension window for Mobile@Work activation also occur for MI Cloud & MI Go App?

Kiran Patel (kiran@kiranpatel.net)
2020-04-29 02:12:36

*Thread Reply:* also have you users tiered compliance actions and notification rules in MI Core to prompt the user to launch the app?

Kiran Patel (kiran@kiranpatel.net)
2020-04-29 02:13:03

*Thread Reply:* great info here as always @NicolasR

NicolasR (raison_nicolas@me.com)
2020-04-29 07:46:22

*Thread Reply:* @Kiran Patel on Cloud the window is 24hours but renewed every time, so basically no limit 😉

Kiran Patel (kiran@kiranpatel.net)
2020-04-29 15:10:31

*Thread Reply:* sweet!

Woody (eric.woodland@trust.tc)
2020-04-28 21:57:50

Sanity check… I have a device that has a Core Security policy with a 90 day pass-code expiration. If I want to extend that by 45 more days, could I clone the existing policy, add 45 days (in total 135 days for expiration) and the pass-code expiration would extend on the device?

NicolasR (raison_nicolas@me.com)
2020-04-29 07:48:38

*Thread Reply:* No, setting won’t change unless doing it manually

Woody (eric.woodland@trust.tc)
2020-04-29 14:44:07

*Thread Reply:* @NicolasR Just to clarify, updating the security policy on the device (to a value greater than 90 days) would not extend the length on the device?

NicolasR (raison_nicolas@me.com)
2020-04-29 14:53:27

*Thread Reply:* Wait.. sorry I’m wrong I think

NicolasR (raison_nicolas@me.com)
2020-04-29 14:54:10

*Thread Reply:* it should work, as it’s not a device local setting

NicolasR (raison_nicolas@me.com)
2020-04-29 14:54:21

*Thread Reply:* not the same as for auto-lock time

Woody (eric.woodland@trust.tc)
2020-04-29 15:39:29

*Thread Reply:* Okay @NicolasR, I remember that. There is some difference between the MDM setting and local setting for the screen timeout values (and different between iPhone vs iPad)

Woody (eric.woodland@trust.tc)
2020-04-28 22:00:55

Trying to avoid having someone change the lock code on a fleet of iPads in a facility unless they absolutely have to

NicolasR (raison_nicolas@me.com)
2020-04-29 23:11:34

https://www.mobileiron.com/en/product/mobileiron-incapptic-connect?utmsource=linkedin&utmmedium=organic-social|https://www.mobileiron.com/en/product/mobileiron-incapptic-connect?utmsource=linkedin&utmmedium=organic-social

Mobileiron.com
👏 Woody, Almar Diehl, Mikey2000, Wolfgang Bauer
NicolasR (raison_nicolas@me.com)
2020-04-29 23:11:40

🎉🎉🎉

Mikey2000 (mscottscranton079@gmail.com)
2020-04-30 07:47:08

Can someone explain to me if this is the correct option what I am looking for:

I have to enable a VPN config within Web@Work for testing the WebView deprecation only for pilot users, not for everybody. Every user is using W@W at the moment, so I have to enable the VPN config with Web@Work AND check the option „Per App VPN by Label Only“ so that only my pilot users (which have the label of the VPN config) are affected, not everybody else. Right? I don‘t want that W@W will trigger the VPN for everybody because only the pilot users have the VPN config. Is this the right way?

Almar Diehl (almar.diehl@blaud.com)
2020-04-30 14:39:35

*Thread Reply:* Yes, that is the way to go.

Mikey2000 (mscottscranton079@gmail.com)
2020-04-30 20:40:47

*Thread Reply:* Great, thank you @Almar Diehl . Wasn’t there a bug if multiple labels are used that a VPN config will remain on the device even though the label was removed? Not sure if this could cause troubles.

mahiroux (mhyb.mk@gmail.com)
2020-04-30 11:20:21

Is there a way to show exchange email calendar on iOS native calendar app using Email+ like the way we export contacts from email+ to native contacts?

Peter Mohr (pm@conscia.com)
2020-04-30 11:56:32

*Thread Reply:* if you push both calendar and contacts out to native then why do you have E-mail+ at all ?

mahiroux (mhyb.mk@gmail.com)
2020-04-30 12:23:59

*Thread Reply:* can we do that alone without mail?

Peter Mohr (pm@conscia.com)
2020-04-30 13:02:42

*Thread Reply:* yes, for iOS 13+ you can push a profile without Mail and force users to not be able to enable mail. So you can deploy contacts and calendar native sync and/or mails in E-mail+

mahiroux (mhyb.mk@gmail.com)
2020-04-30 15:15:42

*Thread Reply:* How do i configure that. Just deselect ‘Email’ from ‘Items to Synchronize’?

Peter Mohr (pm@conscia.com)
2020-04-30 20:09:34

*Thread Reply:* should be that easy but I don’t know if your version of MobileIron supports this yet…

Nico Hermeling (nico.hermeling@outlook.com)
2020-04-30 20:12:10

*Thread Reply:* As far as I remember it should be released in one of the next Core versions, but it‘s not released yet

Peter Mohr (pm@conscia.com)
2020-04-30 20:16:32

*Thread Reply:* and for Cloud ?

mahiroux (mhyb.mk@gmail.com)
2020-05-01 10:14:33

*Thread Reply:* Since the core does not support this configuration yet,is there any other means to push this configuration to devices?

mahiroux (mhyb.mk@gmail.com)
2020-04-30 12:33:14

Due to the recent Apple native mail vulnerabilities,we are planning to switch all our iOS users to Email+ however when we test email+ on our test environment,we are facing issue with email notifications though real time notification is enabled. Is this a known issue?

Rajesh Kumar (rajes20@gmail.com)
2020-04-30 13:53:24

*Thread Reply:* Is apple acknowledged this vulnerability.?? I didn't see yet on the apple site..and email+ is free ...??

mahiroux (mhyb.mk@gmail.com)
2020-04-30 15:18:27

*Thread Reply:* @Rajesh Kumar https://mobilxperts.slack.com/archives/C1UC210GM/p1588062200091000

Mobileiron.com
NicolasR (raison_nicolas@me.com)
2020-04-30 23:21:50

*Thread Reply:* For real time notifications you need what we call CNS - Cloud notification service.

To answer @Rajesh Kumar Email+ comes with our Gold bundle which is the most common one for most of our customers

Almar Diehl (almar.diehl@blaud.com)
2020-04-30 15:11:42

Hi all, because of the Apple native mail issues I have a customer that wants to remove the native mail app from approximately 25.000 devices but do not want to let all users delete the mailapp themselves. Therefore I am looking for a way to remove the mailapp automatically. I hoped that removing the mailapp from the homescreen, using an app restriction config, would do the trick. But although the app is being hidden, activesync in the background is still happening.

Any ideas?

Tohsheen (tbazaz@mobileiron.com)
2020-04-30 16:24:39

*Thread Reply:* apply rules on server side to only allow specific apps or use sentry ip...if you are distributing email config, stop that (does not seem like u r). You have not provided any info on setup, so hard to say what u can and can not

Almar Diehl (almar.diehl@blaud.com)
2020-04-30 16:59:36

*Thread Reply:* Sorry, we are distributing mail config and are using Sentry. But blocking server side or just removing the mail config will not be enough because a user might also have configured private mail accounts in the native app. So they really want to totally block or remove the native mail app.

NicolasR (raison_nicolas@me.com)
2020-04-30 23:23:33

*Thread Reply:* Maybe because mail is not the only app. Comes with Calendar, Contacts, Notes and Reminders

Almar Diehl (almar.diehl@blaud.com)
2020-05-01 08:22:54

*Thread Reply:* Thanks for the idea Nicolas! Just added all mentioned apps to the App Restrictions. Unfortunately ActiveSync still remains active.

Raul (rnadal@mobileiron.com)
2020-05-01 15:38:32

*Thread Reply:* If the customer admin remove the Exchange ActiveSync profile, the corporate account will disappear and it remain available only for personal accounts

Raul (rnadal@mobileiron.com)
2020-05-01 15:38:56

*Thread Reply:* Users can not configure it back manually if the Exchange server is behind a Sentry

Raul (rnadal@mobileiron.com)
2020-05-01 15:39:38

*Thread Reply:* On Exchange ECP, they can in addition block iPhone and iPad mail clients by leveraging Client Access Rules

Raul (rnadal@mobileiron.com)
2020-05-01 15:40:20

*Thread Reply:* This way only other mail clients like Email+, Gmail or Outlook, when configured properly, will be able to sync thru Sentry

Almar Diehl (almar.diehl@blaud.com)
2020-05-01 15:51:41

*Thread Reply:* Thanks Raul but as said just removing the corporate mailprofile and blocking iOS mail app is not sufficient. If the user has a private mail account configured it is still not safe. For a 100% solution the mail app has to be removed from the devices.

NicolasR (raison_nicolas@me.com)
2020-05-01 16:19:48

*Thread Reply:* You can use MTD to detect if personal email is used to compromise the device (through can’t detect personal email being detected)

Raul (rnadal@mobileiron.com)
2020-05-01 18:37:34

*Thread Reply:* ah, if they also don’t want to allow them to use personal accounts, assuming that the device is supervised, they can leverage app restriction for mail app. (This will make it disappear)

I think it’s too strict as if they are managing supervised devices, the issue is addressed in the beta of iOS 13 so as soon as it’s out in GA, they can force the update

Raul (rnadal@mobileiron.com)
2020-05-01 18:39:42

*Thread Reply:* if they are not using Supervised devices, then there’s nothing to do but to pull AS profile and block Exchange

Tohsheen (tbazaz@mobileiron.com)
2020-04-30 16:21:49

@Tohsheen has joined the channel

Lokesh Ojha (lojha@us.ibm.com)
2020-05-05 16:51:43

@Lokesh Ojha has joined the channel

Raul (rnadal@mobileiron.com)
2020-05-05 20:00:11

https://www.mobileiron.com/en/blog/mdm-compromise-and-cerberus-malware-attack

Mobileiron.com
Iortx (jorge.barturen@gmail.com)
2020-05-19 14:41:22

*Thread Reply:* It seems very interesting

Michael (michaelcadogan26@gmail.com)
2020-05-06 01:32:54

Does anyone out there use Global Proxy with Per-App VPN? Run into an issue where the connection randomly drops, can recreate the problem in test environments. Remove the global proxy from the equation and it works seamlessly.

AJ (ajorgensen@mobileiron.com)
2020-05-07 06:52:37

*Thread Reply:* Assuming its per app vpn, what is dropping the connection - Proxy, Sentry, remote server or client? Is the connection that drops idle (like a terminal) or active with data periodically flowing and does it re-establish or need manual intervention?

Michael (michaelcadogan26@gmail.com)
2020-05-08 05:16:46

*Thread Reply:* You can remove the proxy from the equation and it still seems to fail. Just having a proxy.pac file specified with rules that say all traffic should go direct causes it to drop eventually. Connection has active traffic, the website in my test lab refreshes every second. Needs manual intervention, the webpage will never physically show a timeout.

As for where the connection is dropping I haven’t been able to determine that. We’ve got MI and Apple involved, was seeing if anyone out there in the broader community uses global proxy and has seen similar issues. Interesting that when I setup perapp with Workspace One and UAG it seems to handle the configuration with no issues.

Mikey2000 (mscottscranton079@gmail.com)
2020-05-06 14:01:38

I have registered a macOS device using the web-based configuration - the only thing is: Mobile@Work was not installed automatically during this enrollment process! The guide states that this process will automatically install Mobile@Work. What did I miss?

NicolasR (raison_nicolas@me.com)
2020-05-06 14:20:55

*Thread Reply:* CORE or CLOUD?

Mikey2000 (mscottscranton079@gmail.com)
2020-05-06 14:45:21

*Thread Reply:* Sorry, Core 10,6.0.0

NicolasR (raison_nicolas@me.com)
2020-05-06 14:45:43

*Thread Reply:* not supported on CORE (and not planned...)

Raul (rnadal@mobileiron.com)
2020-05-06 16:38:01

*Thread Reply:* Installing is supported.

Raul (rnadal@mobileiron.com)
2020-05-06 16:38:12

*Thread Reply:* Registering silently is not on Core

Raul (rnadal@mobileiron.com)
2020-05-06 16:38:47

*Thread Reply:* that’s why is better to download the client, and register from there if you are registering without DEP

Raul (rnadal@mobileiron.com)
2020-05-06 16:38:54

*Thread Reply:* on Core

Raul (rnadal@mobileiron.com)
2020-05-06 16:39:37

*Thread Reply:* for example, from https://mac.mi-labs.es

Raul (rnadal@mobileiron.com)
2020-05-06 16:40:34

*Thread Reply:* you can upload the app to Core, and deploy it as in-house, but users will be prompted to type credentials in this case

Raul (rnadal@mobileiron.com)
2020-05-06 16:40:49

*Thread Reply:* that’s why initiating the registration from client is better

Mikey2000 (mscottscranton079@gmail.com)
2020-05-06 17:13:20

*Thread Reply:* Ok perfect thank you 🙏

👍 Raul
Woody (eric.woodland@trust.tc)
2020-05-06 19:01:39

*Thread Reply:* Wait. Mobile@Work for MacOS. Did I miss something? There is an actual installable client for that platform?

😂 NicolasR, Mikey2000
Raul (rnadal@mobileiron.com)
2020-05-06 19:13:39

*Thread Reply:* yup

Raul (rnadal@mobileiron.com)
2020-05-06 19:14:01

*Thread Reply:* same client for Core and Cloud

👍 Woody
Raul (rnadal@mobileiron.com)
2020-05-06 19:14:08

*Thread Reply:* to run scripts

NicolasR (raison_nicolas@me.com)
2020-05-06 19:19:48

*Thread Reply:* Don’t ask me why they named it Mobile@work, but this is being discussed and name will probably change this year

👍 Woody, Mikey2000
Woody (eric.woodland@trust.tc)
2020-05-06 19:37:07

*Thread Reply:* Makes sense / Feature parity with WS1 in how it deploys/executes scripts

Mikey2000 (mscottscranton079@gmail.com)
2020-05-08 09:41:52

*Thread Reply:* So what would be the best approach to deploy an XML file to a certain location on the Mac? macOS Script via Mobile@Work and copy the XML file from another accessible server? I can‘t find that there is a way to deploy an XML from Core otherwise.

NicolasR (raison_nicolas@me.com)
2020-05-08 09:53:55

*Thread Reply:* If you want to execute scripts without need of M@W client on Core you can use Packages without binary. Just include in the PKG the XML file + the script required to copy it to the right location

NicolasR (raison_nicolas@me.com)
2020-05-08 09:54:38

*Thread Reply:* PKG need valid signature from dev account, that’s the only downside

Mikey2000 (mscottscranton079@gmail.com)
2020-05-08 12:28:25

*Thread Reply:* Ah gotcha thanks. And deploying apps via AppStore (pkg file) should also work, right? I have uploaded the pkg for Cisco AnyConnect as inhouse app, but it doesn’t get installed on the Mac.

NicolasR (raison_nicolas@me.com)
2020-05-09 19:21:50

*Thread Reply:* Yep should work

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-05-13 17:46:01

*Thread Reply:* Ran into some issues with the installation of the profile on some of the macbooks. What could be the cause that the installation of the profile fails? Error message: profile installation failed! The profile with the name bla bla could not be installed due to an unexpected error - Internal error:1 - any idea what could be the cause of that?

Mikey2000 (mscottscranton079@gmail.com)
2020-05-13 19:09:08

*Thread Reply:* Ideas: -is an active iCloud account mandatory for an successful installation/enrollment? -Admin account for the profile installation or is a user account sufficient?

NicolasR (raison_nicolas@me.com)
2020-05-13 19:10:28

*Thread Reply:* No Yes

drew (andrew.barber@jbhunt.com)
2020-05-06 16:21:53

@drew has joined the channel

Paul Conaty (pconaty@cwsi.ie)
2020-05-07 11:53:42

@Paul Conaty has joined the channel

Hiten Shah (1hitenshah@gmail.com)
2020-05-07 13:46:00

@Hiten Shah has joined the channel

Caryn (Csnshop@icloud.com)
2020-05-11 23:08:16

@Caryn has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-05-12 12:50:19

I can’t find a document for the compatibility of Mobile@Work for iOS - I am having an iPhone running iOS 10 where Mobile@Work seems to have a compatibility issue. While trying to download Mobile@Work from the AppStore it states that M@W is not compatible with the iOs version. Can anyone point me to a document if this is true?

NicolasR (raison_nicolas@me.com)
2020-05-12 13:54:28

*Thread Reply:* iOS AppStore should allow you to get the previous version of M@W

NicolasR (raison_nicolas@me.com)
2020-05-12 13:54:36

*Thread Reply:* iOS 10 official end of life is in June 2020

💀 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-05-12 17:24:16

*Thread Reply:* How would I get the previous version?

NicolasR (raison_nicolas@me.com)
2020-05-13 09:50:39

*Thread Reply:* Expected automatically... but not sure, hard to test here

🙏 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-05-14 17:52:32

.

Mikey2000 (mscottscranton079@gmail.com)
2020-05-20 13:12:15

We are looking for a good solution with the following uses cases: -KeePass app on iOs where we can also access our keepass databases stored On-Premise -Business Card scanner where we can store the scanned information directly to the Exchange account. Since we use Email+ I doubt that this is possible. Any experiences around here?

NicolasR (raison_nicolas@me.com)
2020-05-20 13:55:42

*Thread Reply:* I don’t know if this is On-Premise but I know it can receive AppConfig https://www.keepersecurity.com/en_GB/

Keeper® Password Manager &amp; Digital Vault
🙏 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-05-20 13:58:52

*Thread Reply:* and I don’t know if this can scan business cards but worth to ask 🙂 https://marketplace.mobileiron.com/listing/securecontact%20x%20business

marketplace.mobileiron.com
🙏 Mikey2000
Woody (eric.woodland@trust.tc)
2020-05-20 16:29:24

In terms of Android Enterprise, is there a way to deploy it without "Location" being enabled? I don't show any specific config values that allow me to disable it per se.

Mikey2000 (mscottscranton079@gmail.com)
2020-05-25 18:18:51

*Thread Reply:* AFAIK there was a change with Android 10 that GPS needs to be enabled in order to successfully apply a profile like WiFi.. correct me if I am wrong. You are on Cloud or Core?

macbentosh (benbergthold@gmail.com)
2020-05-20 20:20:14

How does one bulk update iOS with mi? I click one at a time and get this window.

macbentosh (benbergthold@gmail.com)
2020-05-20 20:21:03

Select more than one and get this.

macbentosh (benbergthold@gmail.com)
2020-05-20 20:21:37

No error or expected behavior

Mikey2000 (mscottscranton079@gmail.com)
2020-05-21 07:35:39

*Thread Reply:* Are your devices with are member of that policy supervised and are there updates available for these devices?

Mikey2000 (mscottscranton079@gmail.com)
2020-05-21 07:36:45

Is there a way to block Adobe Cloud within the Docs@Work configuration. I know Box and Dropbox can be blocked.

Raul (rnadal@mobileiron.com)
2020-05-21 19:27:29

*Thread Reply:* why don’t you just block adding any site and map remotely the required ones?

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-05-21 21:52:38

*Thread Reply:* Good point!

macbentosh (benbergthold@gmail.com)
2020-05-21 17:05:32

Anyone using comodo or sectigo certs in mi?

Raul (rnadal@mobileiron.com)
2020-05-21 19:55:29

*Thread Reply:* I do

Raul (rnadal@mobileiron.com)
2020-05-21 19:55:57

*Thread Reply:* I renewed Sectigo cert 1 month ago

Raul (rnadal@mobileiron.com)
2020-05-21 19:55:59

*Thread Reply:* All good

Fabian (mobilxperts@neokortex.de)
2020-05-28 02:58:46

*Thread Reply:* It's just about the trust on the devices... Sectigo (former Comodo) had some issues in the early times anno 2012, but has improved trust on devices significantly. - I am mainly waiting for a let's encrypt integration on Core/Sentrys 🙂 TLS1.3 will make life harder in many unforeseen ways (e.g. renegotiate will be dropped, something Core and Cloud work with intensively). We will get lots of more ports and certificates.... so automation will be key

Raul (rnadal@mobileiron.com)
2020-05-28 08:29:48

*Thread Reply:* problem is that Let’s Encrypt CRL is based on OCSP and doesn’t expose any CRL distribution point thru http/https.

If you are leveraging Common Criteria mode, those certs will not work

Raul (rnadal@mobileiron.com)
2020-05-28 08:29:53

*Thread Reply:* I already have tested that

Raul (rnadal@mobileiron.com)
2020-05-28 08:30:26

*Thread Reply:* With Sectigo, the only thing that you have to keep in mind is to get the latest CA chain as it changed recently

Raul (rnadal@mobileiron.com)
2020-05-28 08:30:35

*Thread Reply:* for the rest, it’s a good CA

Woody (eric.woodland@trust.tc)
2020-05-21 19:36:04

@NicolasR do you know when Apple’s Shared iPad functionality is slated to arrive in Core?

NicolasR (raison_nicolas@me.com)
2020-05-21 19:46:11

Expected for Q3

👍 Woody, Phil Hackett
Raul (rnadal@mobileiron.com)
2020-05-22 07:30:40

Guys, I’ve made my way to make Samsung Email to work fine on Android Enterprise thru Sentry with KCD.

👍 Mathieu Beaugrand, Iortx, Woody, Mikey2000, Govi
Mikey2000 (mscottscranton079@gmail.com)
2020-05-24 12:04:25

*Thread Reply:* Wow this sounds great - totally interested!

Conradin Candrian (Conradin.Candrian@swisscom.com)
2020-06-08 08:55:52

*Thread Reply:* I'm interested too.

Raul (rnadal@mobileiron.com)
2020-06-08 08:58:54

*Thread Reply:* Here’s a working example for Core

Raul (rnadal@mobileiron.com)
2020-06-08 08:58:56

*Thread Reply:*

Raul (rnadal@mobileiron.com)
2020-06-08 08:59:30

*Thread Reply:* Import the app and configure it like any other AE managed config

🙏 Mikey2000
Conradin Candrian (Conradin.Candrian@swisscom.com)
2020-06-08 09:01:09

*Thread Reply:* Thanks a lot, will test it this week

Raul (rnadal@mobileiron.com)
2020-05-22 07:30:53

If anyone is interested just let me know

NicolasR (raison_nicolas@me.com)
2020-05-22 08:18:20

Hello all, It’s Friday and ICYMI: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000kAYNSA2 😉

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-05-25 07:46:27

MTD with MobileIron Core - Port 8883 for CPS -„..this port must be open for the service to function“ Not very much detail regarding source and destination - Core must be reachable on Port 8883 or who is the source/destination?

Raul (rnadal@mobileiron.com)
2020-05-25 08:31:31

Ingress IP Addresses (inbound traffic)

Raul (rnadal@mobileiron.com)
2020-05-25 08:31:50

So Core must be reachable from internet thru port 8883

👍 NicolasR, Mikey2000
Raul (rnadal@mobileiron.com)
2020-05-25 08:35:01

or from MTD IP ranges

NicolasR (raison_nicolas@me.com)
2020-05-26 16:48:16

For those who need to generate a QRCode for Android Enterprise enrollment from an iOS device.... I’ve built this shortcut: https://www.icloud.com/shortcuts/c5ffbcf8bf1a4d1eb8156f74a05159b6

Feel free to reach me out of you find a bug or missing things

NicolasR (raison_nicolas@me.com)
2020-05-26 16:49:49

*Thread Reply:* @Tobias @Fabian as I’m not an expert on DT hosted platforms, let me know if I missed something or if I can improve something (for example set fixed hostnames for DT Cloud)

Fabian (mobilxperts@neokortex.de)
2020-05-28 02:53:26

*Thread Reply:* At least DT cloud has its own FQDN: https://dt.mdm.telekom.net/ - And it is very likely to not be changed 😉

👍 NicolasR
Raul (rnadal@mobileiron.com)
2020-05-27 11:28:43

https://www.youtube.com/watch?v=e72MCV6BiAA

YouTube
} MobileIron (https://www.youtube.com/user/mobileiron)
🍻 NicolasR, Mikey2000
Raul (rnadal@mobileiron.com)
2020-05-27 13:25:33

https://www.linkedin.com/posts/georgedoukatelis_mobileiron-threat-defense-in-action-unc0ver-activity-6671340605131632641-rftn

linkedin.com
Mikey2000 (mscottscranton079@gmail.com)
2020-05-28 17:27:55

MobileIron MTD question - MTD detects if a device has an outdated OS version installed. In our case we testet it with both Android and iOS. In the zConsole both devices are flagged because of the outdated OS version - fine! Within the M@W client on Android MTD shows the outdated OS, but M@W client on iOS doesn’t even though the zConsole shows it. Why?

Also, is there no indicator on the devices in the Admin Portal device overview for devices which have an active threat - an indicator like violating an app control rule! I guess thats what the zConsole is for right?

BTW - I really like the setup of MTD! Great stuff

Raul (rnadal@mobileiron.com)
2020-05-28 18:19:07

*Thread Reply:* Hey @Mikey2000,

I have an iPad mini 4 registered to Core 10.6, and now I see the outdated OS threat inside M@W

Raul (rnadal@mobileiron.com)
2020-05-28 18:19:58

*Thread Reply:* My guess is that today is whn Apple has reported some CVEs that made the current iOS version officially vulnerable as this morning it wasn’t showing anything as you said

Mikey2000 (mscottscranton079@gmail.com)
2020-05-28 18:20:15

*Thread Reply:* Did you deploy an MTD local policy?

Raul (rnadal@mobileiron.com)
2020-05-28 18:20:51

*Thread Reply:* Sure because that’s what makes the threat to appear inside M@W

Raul (rnadal@mobileiron.com)
2020-05-28 18:21:39
Raul (rnadal@mobileiron.com)
2020-05-28 18:22:12

*Thread Reply:* TRM policies will not be shown inside M@W, only local policy threats

Mikey2000 (mscottscranton079@gmail.com)
2020-05-28 18:22:54

*Thread Reply:* Right.. Same on my iPhone 6s - I mean the pending update Maybe I missed something in the local policy then. For Android I have no local policy but it still appears in M@W

Raul (rnadal@mobileiron.com)
2020-05-28 18:23:54

*Thread Reply:* you have to enable the Show notification setting on each rule inside MTD LocalActions policy to show the threat inside M@W

Raul (rnadal@mobileiron.com)
2020-05-28 18:24:49

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-05-28 18:25:19

*Thread Reply:* Great thanks.. but there is no indication for MTD threats on the device in the admin portal right?

Raul (rnadal@mobileiron.com)
2020-05-28 18:25:36

*Thread Reply:* on portal is more for Admins, not for the user

Raul (rnadal@mobileiron.com)
2020-05-28 18:26:38

*Thread Reply:* On MTD Console I only enable alerts to be sent to admins,

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-05-28 18:26:58

*Thread Reply:* but the notif sent to users is only triggered from local actions policy

Mikey2000 (mscottscranton079@gmail.com)
2020-05-28 18:27:37

*Thread Reply:* Yes but I mean wouldn’t it be interesting for MDM Admins to see the active threats? But I guess thats what zConsole is for..

Raul (rnadal@mobileiron.com)
2020-05-28 18:28:06

*Thread Reply:* yeah, the threat log is only shown on MTD console.

Mikey2000 (mscottscranton079@gmail.com)
2020-05-28 18:28:16

*Thread Reply:* Gotcha..

Raul (rnadal@mobileiron.com)
2020-05-28 18:28:44

*Thread Reply:* Even if you tie an online remediation action, this will not be very informative for the MDM admin

Raul (rnadal@mobileiron.com)
2020-05-28 18:28:51

*Thread Reply:* it’s always better to check MTD console

Raul (rnadal@mobileiron.com)
2020-05-28 18:29:08

*Thread Reply:* and configure alerts there to send Threat REports to admins

Raul (rnadal@mobileiron.com)
2020-05-28 18:29:31

*Thread Reply:* that’s how I notice if there are any active threats when I’m not inside the MTD console

Mikey2000 (mscottscranton079@gmail.com)
2020-05-28 18:30:08

*Thread Reply:* Yes that sounds about right.. I will thanks 🍺

👍 Raul
Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 06:55:56

*Thread Reply:* Can you shed some light into the labels which are needed: -Label(s) for the activation configuration (needs to be applied to the devices -Labels for the compliance groups on Core ( like MTDBlock, MTDQuarantine, etc) - no need to apply these to devices because they will be used if an compliance issue triggers, right -Label for the event settings on Core - like MTD Event Detected - should this label be applied before hand or is it also used if an event is gonna be triggered

Also I guess this labels need to be know or activated in the zConsole, right? On page 21 in the guide it says that labels need to be created before setting up Core with Zimperium, which was not the case.

Raul (rnadal@mobileiron.com)
2020-05-29 08:19:20

*Thread Reply:* You are mixing things here

Raul (rnadal@mobileiron.com)
2020-05-29 08:21:58

*Thread Reply:* Perform the integration from MTD console to Core.

Recommendation is to import the iOS and Android labels (both).

On Core, apply the activation config to the labels that you wish. It doesn’t need to be the same labels of iOS and Android.

Then create 2 local actions configs (1 for iOS and 1 for Android) and the phishing config, and apply them to the labels that you wish.

If you also need to use online remediation actions, for example for a chained remediation (I use it for outdated OS threats) then you need to create the compliance actions and so, to reference them in the TRM policy list on MTD console.

Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 08:51:07

*Thread Reply:* Thanks - „Recommendation is to import the iOS and Android labels (both).“ you mean the default filter labels?

Raul (rnadal@mobileiron.com)
2020-05-29 09:36:08

*Thread Reply:* yup. Import them to the MTD Console when you do the integration

Raul (rnadal@mobileiron.com)
2020-05-29 09:36:18

*Thread Reply:* That’s the best way to do

Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 12:29:06

*Thread Reply:* Great thanks! 🙏

Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 12:29:31

*Thread Reply:* What did I miss if this is unavailabe? (zConsole - Policy - Threat Policy)

Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 12:29:47

*Thread Reply:*

Raul (rnadal@mobileiron.com)
2020-05-29 12:46:11

*Thread Reply:* Don’t use the Default Group

Raul (rnadal@mobileiron.com)
2020-05-29 12:46:54

*Thread Reply:* You have to select the TRM policy created for each Label imported (iOS and Android)

Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 12:49:21

*Thread Reply:* Ok thanks.. this is very complex 😜

Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 12:53:28

*Thread Reply:* Now it all makes more sense! Thanks! Didn’t see that switch..

Raul (rnadal@mobileiron.com)
2020-05-29 12:54:38

*Thread Reply:* 👍

Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 05:48:12

Does anyone know which license this is?

Mathieu Beaugrand (beaugrandma@gmail.com)
2020-05-29 06:19:24

*Thread Reply:* You need the Platinum license to use MobileIron Tunnel. Except if you only want to use it for MobileIron productivity apps (D@W, W@W…) for iOS, then the Gold license will do. Note that MobileIron licenses are changing to “Secure UEM” and “Secure UEM Premium”.

Mikey2000 (mscottscranton079@gmail.com)
2020-05-29 06:49:02

*Thread Reply:* Thanks - we configure this VPN configuration for our third party VPN solution, so I guess the platinum feature doesn’t apply here right?

Raul (rnadal@mobileiron.com)
2020-05-29 08:18:09

*Thread Reply:* You are right

🙏 Mikey2000
Jay Robinson (Jay.Robinson@sas.com)
2020-06-05 14:44:27

@Jay Robinson has joined the channel

iMZ (mark_zimmermann@me.com)
2020-06-06 11:12:19

Which MDM rules do you use to detect, prevent or hinder jailbreaks of your devices early on?

Raul (rnadal@mobileiron.com)
2020-06-06 11:29:01

*Thread Reply:* Security policy, device compromised to remediate

Raul (rnadal@mobileiron.com)
2020-06-06 11:29:08

*Thread Reply:* Compliance policy to alert

iMZ (mark_zimmermann@me.com)
2020-06-06 17:57:34

*Thread Reply:* Ok, but wich settings will help you to prevent jailbreaks like unc0ver ?

Rajesh Kumar (rajes20@gmail.com)
2020-06-07 02:44:00

*Thread Reply:* For unc0ver - apple has released patched version 13.5.1.. please request user to update to this version asap.

👍 Woody
Mirko Bülles (mbulles@mobileiron.com)
2020-06-17 08:09:13

*Thread Reply:* We have integrated JB/Root detection in both the UEM Clients, but hese will often rely on known signatures. For a better security approach I would advise to use MTD on top of UEM as this will protect also for 0-days and unknown JB like we have seen with uncover. Which was detected actually by both our Client and MTD as it had a known signature.

Paddy (pa.braun@icloud.com)
2020-06-10 11:54:50

@Paddy has joined the channel

Woody (eric.woodland@trust.tc)
2020-06-16 16:17:31

Anyone have the release notes for Core 10.6.0.1?

Woody (eric.woodland@trust.tc)
2020-06-16 16:18:57

*Thread Reply:* I see it resolves this Custom VPN issue, but nothing else showing up https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000kACwSAM

Mark Vonk (mark.vonk@dahvo.com)
2020-06-16 17:22:49

*Thread Reply:* The documentation is available including the release notes. https://help.mobileiron.com/s/mil-productdoclistpage?Label=Core&Id=a1s3400000240gaAAA&Name=MobileIron+Core|https://help.mobileiron.com/s/mil-productdoclistpage?Label=Core&Id=a1s3400000240gaAAA&Name=MobileIron+Core

Make sure to select 10.6.0.1 at the top right corner.

👍 Woody
Mark Vonk (mark.vonk@dahvo.com)
2020-06-16 17:23:23

*Thread Reply:* I have verified it today and the custom ssl vpn works again

👍 Woody
Almar Diehl (almar.diehl@blaud.com)
2020-06-16 18:07:28

*Thread Reply:* 10.6.0.1 also patches a major security issue...

🙏 Mark Vonk
Woody (eric.woodland@trust.tc)
2020-06-16 22:23:12

*Thread Reply:* @Almar Diehl does that same issue exist in 10.4.x? Or just the 10.6 line?

Mark Vonk (mark.vonk@dahvo.com)
2020-06-16 22:40:14

*Thread Reply:* In all versions. There are upgrades / updates from 10.3 and up. But even lower versions than that have the issue, but there is no update for those.

👍 Woody
NicolasR (raison_nicolas@me.com)
2020-06-16 20:59:58

Hi all, Please patch the CORE, SENTRY, Connectors and RDB/Monitor if you haven’t done it yet. If necessary patch first and upgrade later (as upgrades require some preparation / testing)... More details at: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g065SAA

😱 Almar Diehl, Woody
✅ Woody
NicolasR (raison_nicolas@me.com)
2020-06-16 21:00:32

Cloud is already patched of course 😉

Almar Diehl (almar.diehl@blaud.com)
2020-06-17 14:13:12

Just a quick question: I know there is a CLI command for Core to disable all user access but I can not remember/find what it is. Anyone?

Raul (rnadal@mobileiron.com)
2020-06-18 07:43:48

*Thread Reply:* Hey,

Raul (rnadal@mobileiron.com)
2020-06-18 07:44:11

*Thread Reply:* I can check,

Raul (rnadal@mobileiron.com)
2020-06-18 07:45:13

*Thread Reply:* what’s the task you’re doing that requires that?

Raul (rnadal@mobileiron.com)
2020-06-18 07:45:32

*Thread Reply:* I guess you mean to keep all admins out of the console, maybe to upgrade Core?

Almar Diehl (almar.diehl@blaud.com)
2020-06-18 07:46:35

*Thread Reply:* Upgrade of HA environment. Had to be done late at night without modifying the loadbalancer. So prevent users/devices to access to secondary server while we are upgrading the primary.

Raul (rnadal@mobileiron.com)
2020-06-18 07:48:21

*Thread Reply:*

Raul (rnadal@mobileiron.com)
2020-06-18 07:48:50

*Thread Reply:* is it the command you mean?

Almar Diehl (almar.diehl@blaud.com)
2020-06-18 07:49:04

*Thread Reply:* You are a hero!!

Raul (rnadal@mobileiron.com)
2020-06-18 07:49:11

*Thread Reply:* Cool

BM4JGALGP
2020-06-18 11:03:44

How many of us also use macadmins.slack.com

👍 NicolasR
NicolasR (raison_nicolas@me.com)
2020-06-18 11:17:35

*Thread Reply:* probably @Jay Robinson & @Daniel Reis are there as well

Simple Poll
2020-06-19 05:02:28

@Simple Poll has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-06-24 07:13:16

What is the normal procedure to enroll a Zebra device into MobileIron Cloud? Not like Android Android DO enrollment hence I don’t need AE for Zebras right?

Raul (rnadal@mobileiron.com)
2020-06-24 08:43:31

*Thread Reply:* Why not AE enrollment?

Raul (rnadal@mobileiron.com)
2020-06-24 08:43:50

*Thread Reply:* If the device is on Android 6 or 7 it should work. I’ve registered several

Raul (rnadal@mobileiron.com)
2020-06-24 08:44:10

*Thread Reply:* Use afw# method

Mikey2000 (mscottscranton079@gmail.com)
2020-06-24 08:45:28

*Thread Reply:* Ah ok thanks.. I thought Zebras can only use StageNow

Raul (rnadal@mobileiron.com)
2020-06-24 08:46:47

*Thread Reply:* You can actually send also SN XMLs afterwards from MI

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-06-24 08:47:04

*Thread Reply:* If there’s something you want to do that is not in the UI

Mikey2000 (mscottscranton079@gmail.com)
2020-06-24 08:47:17

*Thread Reply:* Ah got it! Thanks!

Mikey2000 (mscottscranton079@gmail.com)
2020-06-24 08:47:59

*Thread Reply:* And for AE COSU enrollment in Cloud i need only the kiosk policy, right?

Raul (rnadal@mobileiron.com)
2020-06-24 08:48:36

*Thread Reply:* Yup. Deploy apps and add those apps to the Kiosk config to see them inside

Mikey2000 (mscottscranton079@gmail.com)
2020-06-24 08:49:02

*Thread Reply:* Is there no AFW enrollment setting like in Core which I need?

Mikey2000 (mscottscranton079@gmail.com)
2020-06-24 08:49:39

*Thread Reply:* Ah see it

Raul (rnadal@mobileiron.com)
2020-06-24 08:50:13

*Thread Reply:* You have to ensure to apply the Eork Managed Device config that comes pre-created with the MI Cloud console

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-06-24 08:50:41

*Thread Reply:* By default COPE and DO configs are applied to all androids so change the distribution, and that’s all

Raul (rnadal@mobileiron.com)
2020-06-24 08:51:06

*Thread Reply:* For the kiosk, create a Lockdown config of type Work Managed device and enable the kiosk there

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-06-24 08:58:40

*Thread Reply:* Do I have to turn on kiosk like on Core on the device or in the Go app?

Raul (rnadal@mobileiron.com)
2020-06-24 09:59:55

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-06-24 10:14:06

*Thread Reply:* Great thank you 🙏

Raul (rnadal@mobileiron.com)
2020-06-24 10:18:58

*Thread Reply:* 👍

Matt Dermody (jmdermody@gmail.com)
2020-06-24 15:38:27

*Thread Reply:* You can use StageNow for DO enrollment in AirWatch and SOTI, I’m not sure if that is an option for MI

🙏 Mikey2000
Matt Dermody (jmdermody@gmail.com)
2020-06-24 15:39:39

*Thread Reply:* This is usually my preferred enrollment mechanism for Zebra devices since you don’t have to type anything or tap on Hello There or anything. One scan to bypass the GMS setup wizard and a second scan to connect to wifi, download an agent, install it, set it as DO, and enroll into the EMM server

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2020-06-24 15:49:40

*Thread Reply:* Yeah, thanks, it’s def supported on MobileIron Core and Cloud.

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2020-06-24 15:49:46

*Thread Reply:* For years actually

Philip Harrison (CWSI) (pharrison@cwsi.ie)
2020-07-09 15:43:41

*Thread Reply:* @Matt Dermody FWIW I've tested AEDO with MobileIron Core from StageNow. Requires a bit of custom intent calling that took a while to figure out, but I've stuck the details here for those coming across this discussion in future! Should also work with MI Cloud https://cwsisecurity.com/resource/project-recap-enrolling-zebra-devices-to-mdm-in-android-enterprise-device-owner-aedo-mode-using-stagenow/

👍 Raul, Mikey2000
🍻 Raul, Mikey2000
:upvote: Matt Dermody
💯 Matt Dermody
Raul (rnadal@mobileiron.com)
2020-07-09 17:48:15

*Thread Reply:* Thanks for sharing @Philip Harrison (CWSI), great stuff!

Matt Dermody (jmdermody@gmail.com)
2020-07-09 18:35:04

*Thread Reply:* Fantastic, thanks for sharing!!

Florent N. (Florent.NOSARI@econocom.com)
2020-06-29 10:23:34

@Florent N. has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2020-07-13 20:50:02

Anyone else also seeing Mobile@Work detecting iOS 14 devices ad jailbroken? Hoping MI addresses this soon so we don’t have to put beta testers into a test policy :(

Ala Almaet (ala@alaalmaet.com)
2020-07-13 23:29:07

*Thread Reply:* Hi @Kiran Patel this article should provide some guidance https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g0I8SAI

YAS (esteem143@gmail.com)
2020-07-14 16:23:48

@YAS has joined the channel

Jay Robinson (Jay.Robinson@sas.com)
2020-07-15 14:11:47

How many use the MobileIron API regularly? I use it for cleanup, complex deployments and to give our users the ability to opt into and out of some configurations via a ServiceNow form.

Yasar (siddiqui.arfat@yahoo.in)
2020-07-15 14:52:26

*Thread Reply:* Unless one is supporting a large fleet of devices as used by (pharma/banking) people don't take advantage of API

Jason (jasonh@bridgeway.co.uk)
2020-07-15 15:45:10

*Thread Reply:* We leverage them (for there are various APIs currently around) for delivering IronWorks - a MobileIron reporting and dashboard solution - to our customers.

Jason (jasonh@bridgeway.co.uk)
2020-07-15 15:45:57

*Thread Reply:* Sorry for the self-promotion plug, but we gather the data daily using these APIs, so seemed relevant here.

Jay Robinson (Jay.Robinson@sas.com)
2020-07-15 16:38:42

*Thread Reply:* We manage about 13000 mobile devices. I run daily python scripts to… • Delete Retired devices from the console after 30 days. • Reset temporary configs i’ve allowed users to opt-in to • Fix odd stuff until official fixes come through (i.e. Ownership settings etc). • Supplement complex deployments (i.e. Removal of Native mail config when exchange last sync is more than 7 days)

Tohsheen (tbazaz@mobileiron.com)
2020-07-16 13:55:03

Hello folks.. wanted to see what level of anticipation do you have for new features from Apple Which feature(s) can you not wait to get your hands on when iOS 14 or macOS Big Sur hit the markets (public releases)

Jason (jasonh@bridgeway.co.uk)
2020-07-16 15:24:08

*Thread Reply:* I can’t wait to see new Arm-based Mac hardware myself. 🙂

Tohsheen (tbazaz@mobileiron.com)
2020-07-16 16:15:15

*Thread Reply:* that definitely will open the app developers to more possibilities for their apps..more wider user base. Apple seems to be going BIG for the enterprise market now

Jason (jasonh@bridgeway.co.uk)
2020-07-16 16:43:27

*Thread Reply:* Hmm, not convinced their enterprise approach is quite there though. It is hard to interweave a Mac laptop into a MSFT ecosystem, and Apple’s support for alternative services is woeful - DNS, web, email and similar services are no longer supported/shipped, for example.

Jason (jasonh@bridgeway.co.uk)
2020-07-16 16:45:03

*Thread Reply:* I’ve always felt as if there had been a clause in the MSFT loan to Apple back in the day that prevented them from competing on the enterprise desktop/server space. Apple’s approach has always been piecemeal there, even by MSFT standards.

Tohsheen (tbazaz@mobileiron.com)
2020-07-17 11:38:56

*Thread Reply:* I think and this is just my personal opinion that Apple has struggled to get developers to enterprise for Macs..and till date the Win7 to Mac issue haunts Apple from progressing in enterprise

Tohsheen (tbazaz@mobileiron.com)
2020-07-17 11:40:41

*Thread Reply:* There is an underlying acceptance in the air about Microsoft being THE productivity suite..that is why they showed office on new silicon

👍 Jason, Woody
Woody (eric.woodland@trust.tc)
2020-07-17 14:23:44

*Thread Reply:* I'm pumped about ScreenTime on tvOS. Not for enterprise so much, but for the household 🙂

faycal osseni (faycal.osseni@gmail.com)
2020-07-17 08:06:35

@faycal osseni has joined the channel

Tohsheen (tbazaz@mobileiron.com)
2020-07-17 11:42:03

I will start with my fav.. My favorite feature for iOS is going to be encrypted DNS (i changed my mind)

👍 Woody
Tohsheen (tbazaz@mobileiron.com)
2020-07-17 12:03:16

May be a close second is non-removable managed apps

Almar Diehl (almar.diehl@blaud.com)
2020-07-17 13:50:24

Did any of you ever install a Sentry server on Azure? I am currently trying. Following the instructions from MobileIron I have a the server up-and-running (I can see on the console) but when I try to SSH into the server to complete the configuration I get a ‘connection refused’. If I test port 22 from the Azure portal it claims that SSH can be used from any ip.

Anyone got a solution for the connection refused?

Tohsheen (tbazaz@mobileiron.com)
2020-07-17 16:10:45

*Thread Reply:* Did you define a password in the paramters.json ?

Almar Diehl (almar.diehl@blaud.com)
2020-07-17 16:50:23

*Thread Reply:* Yes I did.

Raul (rnadal@mobileiron.com)
2020-07-20 21:52:04

*Thread Reply:* Then you should be way to go as the default Security Group allows SSH over port 22, and the default password is defined in the json file before to start the procedure of creating the blob

Raul (rnadal@mobileiron.com)
2020-07-20 21:52:12

*Thread Reply:* check the steps

Almar Diehl (almar.diehl@blaud.com)
2020-07-21 08:23:03

*Thread Reply:* We found a solution, seems to be a bug in the 9.8.1 VHD. Re-installed with a 9.7.1 VHD and that works fine.

Raul (rnadal@mobileiron.com)
2020-07-17 21:03:02

*Thread Reply:* Do you mean to use whitelist and blacklist features?

👍 Woody
Raul (rnadal@mobileiron.com)
2020-07-17 21:03:13

*Thread Reply:* If so, I have it working.

Raul (rnadal@mobileiron.com)
2020-07-17 21:03:29

*Thread Reply:* I only allow internal traffic on AE managed Chrome

Woody (eric.woodland@trust.tc)
2020-07-20 14:40:07

*Thread Reply:* Yes @Raul! We pretty much prefer Chrome around these parts, so wanting to deploy to iOS and lock it down similar to that of Safari

Raul (rnadal@mobileiron.com)
2020-07-20 15:13:20

*Thread Reply:* ah, but on iOS there’s no managed config for Chrome, sorry for the confusiom

😢 Woody
Raul (rnadal@mobileiron.com)
2020-07-20 15:13:29

*Thread Reply:* I thought you meant on AE

Woody (eric.woodland@trust.tc)
2020-07-20 15:37:45

*Thread Reply:* Ah, darn! I was thinking I had come across at least a couple managed configs for Chrome on iOS in the past.

Woody (eric.woodland@trust.tc)
2020-07-20 21:19:20

Can anyone explain uploading an in-house APK for distribution via Android Enterprise? I've uploaded to Core and have the AE box checked, but it's wanting the License (which I downloaded)... but there's a bunch of excess in that file.

Raul (rnadal@mobileiron.com)
2020-07-20 21:45:39

*Thread Reply:* Uploading an APK directly to Core is intended only for DO mode devices and will not allow you to configure it.

What you should do, once that you have the AE bind configured to deploy AE, is:

Go to Apps catalog and do like you to import a public app. This will open iFrame.

At the left you will see a pane where you can choose between public apps, private apps or web apps.

Raul (rnadal@mobileiron.com)
2020-07-20 21:46:02

*Thread Reply:* Choose Private app and hit the coloured + button to upload you private apk

Raul (rnadal@mobileiron.com)
2020-07-20 21:46:30

*Thread Reply:* it will be published and later you will be able to handle it like you do for public apps.

Raul (rnadal@mobileiron.com)
2020-07-20 21:46:58

*Thread Reply:* this method will make app available for all 3 AE deployment methods

👍 Woody
Raul (rnadal@mobileiron.com)
2020-07-20 21:48:27

*Thread Reply:*

Woody (eric.woodland@trust.tc)
2020-07-20 22:25:53

*Thread Reply:* Righteous. Thank you so much @Raul! 👏:skintone2:

👍 Raul
Woody (eric.woodland@trust.tc)
2020-07-22 17:37:48

*Thread Reply:* @Raul after it goes Pending, do I need to stay on this screen?

Woody (eric.woodland@trust.tc)
2020-07-22 18:06:40

*Thread Reply:* Disregard. Looks like it remains in that iFrame from Google even if I leave/return

Woody (eric.woodland@trust.tc)
2020-07-20 21:23:08

Okay, apparently the app will still host/install without the license? Just tried it for giggles and it installed.

Raul (rnadal@mobileiron.com)
2020-07-20 21:49:47

*Thread Reply:* The json file you get from Core when you upload an apk directly is intended for self hosted deployment, and requires a paid developer account, but you don’t need that to deploy regular private apps.

👍 Woody
Raul (rnadal@mobileiron.com)
2020-07-20 21:50:07

*Thread Reply:* Just follow the guidelines I shared on the other comment

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-07-24 21:17:58

Anyone familiar with this one? Looks like a firewall issue:

Clark (76clark@gmail.com)
2020-07-24 21:45:43

*Thread Reply:* It is likely firewall related but have seen a few times when the token is corrupted and just going through the process once more with a new token seems to work.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-07-25 17:12:51

*Thread Reply:* I cannot find anything being blocked from the Firewall. DEP service within Core has the status success! Tried three times with a new token, same error!

Nico Hermeling (nico.hermeling@outlook.com)
2020-07-25 23:06:37

*Thread Reply:* Is there a proxy with SSL offloading? This lead to a similar issue for a customer.

Mikey2000 (mscottscranton079@gmail.com)
2020-07-26 05:53:53

*Thread Reply:* Thanks for the input @Nico Hermeling - no we have no proxy. Have to find the logs on Core to get more info on this.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-07-27 06:51:08

*Thread Reply:* maybe wrong token (DEP, Wrong account on refresh)?

Mikey2000 (mscottscranton079@gmail.com)
2020-07-27 09:35:16

*Thread Reply:* Turned out to be a browser issue! Chrome destroyed the token. No issue with on of the others and it worked!

Mikey2000 (mscottscranton079@gmail.com)
2020-07-27 09:36:41

Samsung Native Email app on Android Enterprise devices with MobileIron Core - will the native client work with MobileIron Access hence support for Modern Auth?

Raul (rnadal@mobileiron.com)
2020-07-27 09:51:27

*Thread Reply:* This is a request for Samsung as they need to support modern auth to be configured remotely

Raul (rnadal@mobileiron.com)
2020-07-27 09:51:36

*Thread Reply:* AFAIK they only support Basic and Kerberos

Raul (rnadal@mobileiron.com)
2020-07-27 09:51:50

*Thread Reply:* There’s no managed config exposed to configure Oauth

👍 Mark Vonk
Mikey2000 (mscottscranton079@gmail.com)
2020-07-27 09:52:03

*Thread Reply:* That is what i thought.. damn

Mikey2000 (mscottscranton079@gmail.com)
2020-07-27 09:52:13

*Thread Reply:* Thanks! 🙏

👍 Raul
Ajay Patel (ajay5675@msn.com)
2020-07-27 10:18:20

*Thread Reply:* just an FYI it would seem Samsung email does support this now via Managed Config.. see attached image...

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-07-27 10:20:15

*Thread Reply:* Ok interesting.. but we use Exchange On-Premise. Do we also need Modern Auth?

Mikey2000 (mscottscranton079@gmail.com)
2020-07-27 10:21:35

*Thread Reply:* Scratch that.. Access is not relevant for Exchange On-Prem with Sentry anyway, right? As long as we do not migrate to O365 we are safe right?

Mark Vonk (mark.vonk@dahvo.com)
2020-07-27 11:04:44

*Thread Reply:* It was not available, but as @Ajay Patel mentions, it was added recently! Good find, thanks

👍 Mikey2000, Raul
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-07-27 15:26:22

*Thread Reply:* You can also configure Exchange On-Premise to use Modern Auth, but normally you only do it when going hybrid

Raul (rnadal@mobileiron.com)
2020-07-27 16:15:39

*Thread Reply:* AFAIK you need at least 1 account on O365 to do so, and that’s automatically a hybrid environment

Raul (rnadal@mobileiron.com)
2020-07-27 16:16:28

*Thread Reply:* When using Exchange + Sentry you can use KCD which is the best experience for on-premise mail

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-07-27 16:16:45

*Thread Reply:* unless you use Outlook for sure, that doesn’t support KCD

Mark Vonk (mark.vonk@dahvo.com)
2020-07-27 16:20:27

*Thread Reply:* Indeed, modern auth for on-premise Exchange only exists when your exchange is hybrid: configured to interact with Exchange Online. No need for an actual mailbox on EOL yet. https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview

docs.microsoft.com
👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 07:59:18

Would could be the cause for the following issue:

We deploy Email+ for AEWP devices with MobileIron Core. We use Exchange Online. When our users change the password in the local AD it sometimes takes ages before Email+ excepts the new password, sometimes Email+ doesn’t accept the new password at all. My guess: Core still has the old password stored in the variable $password$? But the users enter the new password also in Mobile@Work. If we use AAD Connect with Password Hash (not ADFS) the sync needs to happen before Exchange Online is aware of the new password, right?

Tohsheen (tbazaz@mobileiron.com)
2020-07-29 09:42:20

*Thread Reply:* Core does not store any password or hash of password. Authentication happens with AD

Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 09:43:09

*Thread Reply:* And what is the feature „save user password“ on Core?

Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 09:47:32

*Thread Reply:*

Tohsheen (tbazaz@mobileiron.com)
2020-07-29 10:55:52

*Thread Reply:* Ah, yes, that feature is there.

Tohsheen (tbazaz@mobileiron.com)
2020-07-29 11:01:48

*Thread Reply:* This is what I could find : To get the new password synced to Core, we should go to Core > Users > Resync LDAP (make sure you turn off the LDAP Discard % in the LDAP-preferences)

Tohsheen (tbazaz@mobileiron.com)
2020-07-29 11:03:30

*Thread Reply:* This is to force a sync or you will have to wait for your sync to happen

Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 11:04:46

*Thread Reply:* Ok right thanks. Since this is a manual resync this is impossible to schedule because I would never know when a user changed his password. But thanks for the hint!

Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 11:07:55

*Thread Reply:* But I believe it is also possible that Azure is not aware of the new password if the AAD Sync didn’t happen

Tohsheen (tbazaz@mobileiron.com)
2020-07-29 11:11:04

*Thread Reply:* Possible. Passthrough authentication from AzureAD solves this latency issue

Raul (rnadal@mobileiron.com)
2020-07-29 11:47:31

*Thread Reply:* Save Password is intended to save the password typed during registration

Raul (rnadal@mobileiron.com)
2020-07-29 11:48:04

*Thread Reply:* It’s not good as when it changes on AD, if user don’t log in to Core SS, the stored password doesn’t change

Raul (rnadal@mobileiron.com)
2020-07-29 11:48:25

*Thread Reply:* If you have Exchange Online, I recommend you to give CBA a try

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2020-07-29 11:48:57

*Thread Reply:* It will not be killed by MS, and works like a charm since 2016

Raul (rnadal@mobileiron.com)
2020-07-29 11:50:17

*Thread Reply:* If you want to force AAD to check cert CRL, and you’re not using Core as CA, you will need to expose the CRL to internet

Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 11:50:40

*Thread Reply:* Great input! Thank you Raul!

🍻 Raul
Raul (rnadal@mobileiron.com)
2020-07-29 11:50:53

*Thread Reply:* Best approach is to use Core as standalone CA or to turn it into a intermediate CA from your internal CA

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-07-29 11:51:08

*Thread Reply:* This way Core will expose the CRL for you

Raul (rnadal@mobileiron.com)
2020-07-29 11:51:19

*Thread Reply:* Checking CRL is not mandatory anyway

Raul (rnadal@mobileiron.com)
2020-07-29 11:54:34

*Thread Reply:* MI Access can be leveraged and will cover Exchange and also the rest of O365 apps, while CBA is only useful for Exchange Online, so keep that in mind

🙏 Mikey2000
🍺 Mikey2000
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-07-29 15:55:26

*Thread Reply:* @Raul do you know how to stop exchange online CRL checking? Have tried to find it, but no luck

Raul (rnadal@mobileiron.com)
2020-07-29 15:56:29

*Thread Reply:* It depends on how you leveraged the PS1 commands

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-07-29 16:00:07

*Thread Reply:* New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation is the command I used. Which paramater will stop CRL checking?

Florent N. (Florent.NOSARI@econocom.com)
2020-07-29 13:32:39

Hello folks, does anyone know if it is possible to enable advanced options on MobileIron Go like we can do it for Mobile@Work?

NicolasR (raison_nicolas@me.com)
2020-07-29 17:26:03

*Thread Reply:* Not so far I’m aware, what are you looking for?

Florent N. (Florent.NOSARI@econocom.com)
2020-07-29 18:59:09

*Thread Reply:* @NicolasR I was looking for the Gooogle reauth feature

NicolasR (raison_nicolas@me.com)
2020-07-29 19:48:14

*Thread Reply:* Ok

Mark Vonk (mark.vonk@dahvo.com)
2020-07-30 10:55:47

*Thread Reply:* Feature or issue with reauth? Assuming you are referring to Google managed play reauth?

NicolasR (raison_nicolas@me.com)
2020-07-30 10:57:08

*Thread Reply:* there was an issue on CORE where we introduced manual re-auth request for Managed Google play for troubleshooting purposes. Not sure Cloud is affected at all from this, haven’t checked

Florent N. (Florent.NOSARI@econocom.com)
2020-07-30 11:00:06

*Thread Reply:* I was looking for Google Play reauth because some user are facing issue when using user based account. Changing to device base account resolve the issue but the user have to reenroll.

Tohsheen (tbazaz@mobileiron.com)
2020-07-30 12:31:15

*Thread Reply:* @Florent N. You should contact support for this. The re-auth that you are talking about should happen silently.

Tohsheen (tbazaz@mobileiron.com)
2020-07-30 12:37:28

*Thread Reply:* Also, there was something that only our support team could trigger for user>device account, as we did not want this to be done for all customers. I will leave it at that.

Florent N. (Florent.NOSARI@econocom.com)
2020-08-31 08:01:09

*Thread Reply:* thanks @Tohsheen

Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 15:08:20

We deploy a managed app config for iOS for an Store app. The developer submitted us the xml so we can configure the app via MobileIron Core. The managed app config gets applied on the device, but no configuration is happening within the app. I am trying to find out why. Can’t think that the developer sent me a wrong XML. Any suggestions how I can find out more about this?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-07-29 15:57:28

*Thread Reply:* if the app is really managed and the XML gets applied, I think its an syntax problem im xml or a bug in the app

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-07-29 16:15:01

*Thread Reply:* Did you checked the setting to use a plist instead of managed config, inside iOS app properties?

Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 17:57:09

*Thread Reply:* @Raul not sure if I can follow you. Within the AppCatalog when I click on edit on the app there is not really a lot to configure and also no option to use a plist instead of a managed config - this is what you mean right? Would that mean that the app doesn’t support managed app configs? Just checked the option within Cisco Jabber, I can see the option there!

Uploading the managed config, is the file extension important? Like .plist or .xml?

Mikey2000 (mscottscranton079@gmail.com)
2020-07-29 17:58:19

*Thread Reply:* @Wolfgang Bauer thanks, yes the app is managed - checked that in the appcatalog..

Raul (rnadal@mobileiron.com)
2020-07-29 21:51:54

*Thread Reply:*

Raul (rnadal@mobileiron.com)
2020-07-29 21:52:45

*Thread Reply:* I’ve found that this setting only appears when the app accepts managed config so maybe that’s a different story

🙏 Mikey2000
Jay Robinson (Jay.Robinson@sas.com)
2020-07-31 14:48:14

Is anyone using MobileIron Cloud to deploy software to macOS? If so, hit me up. I’d love to pick your brain.

AJ (ajorgensen@mobileiron.com)
2020-08-03 01:12:54

*Thread Reply:* Sure what’s up?

Jay Robinson (Jay.Robinson@sas.com)
2020-08-03 14:02:59

*Thread Reply:* We currently use Munki and are evaluating MobileIron’s software delivery capabilities. One thing we would like to do is package and deliver a single file but MI doesn’t appear to be able to do this. It reports that it has installed it, but the package is nowhere to be found.

Jay Robinson (Jay.Robinson@sas.com)
2020-08-03 14:03:05

*Thread Reply:* Are you doing anything like this?

NicolasR (raison_nicolas@me.com)
2020-08-03 15:10:57

*Thread Reply:* Hey @Jay Robinson curious about the use case, as delivering as multiple files will also allow more granularity

CJFrickle (cjfrickle@gmail.com)
2020-08-03 15:25:04

*Thread Reply:* Hi @NicolasR, I work with Jay… the specific use case that brought this on goes like this. I want to place an executable in a location on the machine, that can be activated at a later date via the scripting tool in Mobile@work. When I package the executable file and deploy via munki---no problems at all. When I deploy the same package with MI, the file does not show up. I have tried a traditional package, a package created using the MI packaging tool, and signed and unsigned versions of each. With each deployment, Mobileiron says that the “app”[package] has been installed, but the executable is not present

CJFrickle (cjfrickle@gmail.com)
2020-08-03 15:26:16

*Thread Reply:* Also looking for the ability cache packages like I can using the “precache” key in munki

NicolasR (raison_nicolas@me.com)
2020-08-03 15:26:25

*Thread Reply:* @Tohsheen ☝️This looks like something we can do but not sure, can you have a look?

Tohsheen (tbazaz@mobileiron.com)
2020-08-03 17:17:57

*Thread Reply:* @Jay Robinson @CJFrickle - lets talk about this on a call. ~I will shoot you an email about this

🍻 NicolasR
👍 Jay Robinson
CJFrickle (cjfrickle@gmail.com)
2020-08-03 15:22:21

@CJFrickle has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-08-04 06:27:08

We would like to add our On-Premise CRM tool to MobileIron Access (Access As A Service, Delegated IdP) so we can leverage SSSO and Conditional Access. We already authenticate with ADFS. Looking for the main tasks - I found documents for Cloud Services, but not how to add custom On-Premise applications. Can somebody point me in the right direction?

Basically I have to create a delegated IDP Pair for ADFS so I get the PS Script to execute on the ADFS to make Access aware. But how can I make sure that only our CRM tool is being used by Access? We have multiple On-Premise applications that use ADFS but we only want to use one of them with Access. Do we have to manually modify the claim rules on the ADFS or can the Access Admin Portal UI help here?

Raul (rnadal@mobileiron.com)
2020-08-04 08:21:15

*Thread Reply:* You can do depending on your ADFS version

Raul (rnadal@mobileiron.com)
2020-08-04 08:22:53

*Thread Reply:* ADFS 3 or 4--> limit the claims providers that each Relaying Party Trust can use, and allow Access only on the one you want to be sanctioned.

ADFS 4+ only --> You can apply the webtheme only to the RPT that will be sanctioned

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-08-04 10:17:14

*Thread Reply:* What would you recommend before executing the PS script on the ADFS - Snapshot, Backup or else, what is sufficient in case something went wrong.. not really to familiar with ADFS yet.

Raul (rnadal@mobileiron.com)
2020-08-04 18:05:35

*Thread Reply:* When you talk about ADFS + Access as Del-IdP, rolling back is as easy as setting the default webtheme active again.

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2020-08-04 18:06:42

*Thread Reply:* so add a ps1 file with the cmdlet to set the default webtheme, and you will be fine

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2020-08-04 18:07:46

*Thread Reply:* You can take a snapshot, but as the code that change the traffic is contained in the custom webtheme that you are applying, rolling back is simply a powershell script

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-08-06 08:31:43

Can anyone tell me what the problem is when several iOS devices are not APNS capable and why they are nor capable? This has to do with the APNS token which seems to be missing for Mobile@Work right? How do I solve this?

We are on Core 10.7.. Devices are able to check-in. The Devices are enrolled via DEP. I believe this could have something to do with Mobile@Work after the DEP enrollment. The user only has a certain amount of time to open the app until the token is gone right?

And one stupid question: what is the downside if the devices have no APNS token? Since the check-in works, all devices can get new configurations and policies anyway, right?

NicolasR (raison_nicolas@me.com)
2020-08-06 10:35:18

*Thread Reply:* APNS capable means that they are capable to receive APNS push messages inside the M@W client (different than MDM APNS). Users that have not launched M@W once are the ones that appear under APNS capable false.

By default users have 4hours to open the client but since Core 10.5 you can change the value in the UI.

Downside: no client check-in (different from MDM check-in) and nor Jailbreak detection/MTD activation

🍺 Mikey2000, Jason
👍 Ladislav Blazek
Mikey2000 (mscottscranton079@gmail.com)
2020-08-06 10:37:45

*Thread Reply:* So for all users who have not openend M@W within the 4h, they will have to open M@W and newly register? Is that even possible if the MDM profile is already installed? Or do we have to retire the device and re-enroll?

NicolasR (raison_nicolas@me.com)
2020-08-06 10:38:40

*Thread Reply:* Just delete Mobile@Work client and re-download it to get a new “window” (with the new TTL of the nonce token)

NicolasR (raison_nicolas@me.com)
2020-08-06 10:39:38

*Thread Reply:* **the download must be done from apps@work

Mikey2000 (mscottscranton079@gmail.com)
2020-08-06 10:40:44

*Thread Reply:* Ah ok.. so need to install a new profile? Because we block manual profile installation

NicolasR (raison_nicolas@me.com)
2020-08-06 10:41:47

*Thread Reply:* No!

NicolasR (raison_nicolas@me.com)
2020-08-06 10:41:58

*Thread Reply:* Simply the application

🙏 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-08-06 10:42:07

*Thread Reply:* Enrollment profile stays

Mikey2000 (mscottscranton079@gmail.com)
2020-08-06 10:42:56

*Thread Reply:* Thanks - saved my day 🙏

NicolasR (raison_nicolas@me.com)
2020-08-06 10:43:41

*Thread Reply:* 😉

Ladislav Blazek (ladislav@lblazek.cz)
2020-08-10 07:24:45

*Thread Reply:* Neat trick for DEP (supervised) devices is to hide other apps except M@W / use homescreen layout / change wallpaper (with a message) after enrollment to force users to open the app. You can create dynamic label based on client check-in / APNs capable flag etc. to disable that dumb mode automatically after successfull client check-in.

🙏 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-08-24 16:12:10

*Thread Reply:* but that solution doesn’t really scale from customer reports: Label calculation may take up to 2/3 hours.... 😢

Mikey2000 (mscottscranton079@gmail.com)
2020-08-06 16:42:11

Anyone familiar with this error on Core? Some VPP apps will not install on the device:

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-07 07:05:19

*Thread Reply:* Is the app still there in store? Does the VPP Sync work on other apps?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-07 07:06:07

*Thread Reply:* Yes it is Mobile@Work. VPP sync works.. Other VPP apps are getting installed!

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-07 07:08:36

*Thread Reply:* bought enough copies of it in ABM? do you have multipe mdms in one ABM location?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-07 07:09:18

*Thread Reply:* Yes plenty 500 licenses, only 2 devices at the moment. No, only one MDM

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-07 07:14:03

*Thread Reply:* try to delete mobile@work in core if only two devices and readd it (maby select the correct country before search in core) and then refresh VPP token and try agian

Mikey2000 (mscottscranton079@gmail.com)
2020-08-07 08:17:48

*Thread Reply:* We have 2000 devices which are not DEP enrolled. So they already have M@W deployed via the Default iOS Label. So I can‘t delete it that easy. We are in the process of migrating devices to DEP. So the first step would be to get a rid of the iOS label. Having the iOS label (no VPP) and a new label for DEP devices (VPP enabled) on the same app - maybe that is the problem.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-07 09:40:57

*Thread Reply:* ah ok, hmm then maybe only token refreh and resync

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-08-07 11:39:08

How can we find out what the reason for a sent event is? After the upgrade to Core 10.7 Core is sending out a lot of warnings to the users „configuration not compatible“.. and we don‘t know why. Checked the blocked reason within the advanced search, but the affected devices are not shown. Any ideas how to locate this?

Security Reason Code: 0x40000000 Security State: 1 Is there an explanation what this means?

UPDATE: After the Upgrade to Core 10.7 most of these devices show under configurations - System iOS Enterprise AppStore the Status Update Failed!? In the Policy Violations Event the setting „iOS Configuration not compliant“ - is this related to the failed update of the webclip maybe?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-07 11:55:26

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-08-07 11:56:30

*Thread Reply:* Most of the devices are on the watchlist for these 3 system configs. I am sure this is related to the policy violations event „iOS configuration not compliant“ right? Looks like an Update issue

NicolasR (raison_nicolas@me.com)
2020-08-07 12:24:24

*Thread Reply:* Please raise support case... this kind of things can create a lot of subsequent issues

Mikey2000 (mscottscranton079@gmail.com)
2020-08-07 12:26:31

*Thread Reply:* Right I will, thanks But how can I find details in the event and what triggered the event? There is not really helpful info in the event

NicolasR (raison_nicolas@me.com)
2020-08-07 12:27:27

*Thread Reply:* The security event code is not publicly communication for security reasons

NicolasR (raison_nicolas@me.com)
2020-08-07 12:27:42

*Thread Reply:* You can have the detail in plain text I think

NicolasR (raison_nicolas@me.com)
2020-08-07 12:28:01

*Thread Reply:* Somewhere in the device details but I don’t expect this to be related

Mikey2000 (mscottscranton079@gmail.com)
2020-08-07 12:33:25

*Thread Reply:* Ok thanks. It would be great if you could create a event template with more details. But not really a lot of variables which can print out more info.

mahiroux (mhyb.mk@gmail.com)
2020-08-09 11:05:24

Has someone deployed docusign(On Premise) digital signature solution via Mobileiron?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-10 17:27:07

Are there plans to support watchOS with Core or Cloud? How are you guys handling the Apple Watch within the company?

Mark Vonk (mark.vonk@dahvo.com)
2020-08-10 21:18:16

*Thread Reply:* There are no MDM payloads for watchOS, except for some iOS restrictions that you set for iPhones. As long as there is no MDM endpoint, there is not much any vendor can do to support it.

👍 Woody, Mikey2000
Woody (eric.woodland@trust.tc)
2020-08-10 23:51:28

*Thread Reply:* Yes, what @Mark Vonk said. Some of the policies for phone trickle-down to Watch. So at least we have that going 🙂

👍 Mikey2000
Woody (eric.woodland@trust.tc)
2020-08-11 01:47:04

Does anyone recall if there is a setting in GSuite to only allow Google Sync (ActiveSync) connections from trusted source networks? So if I wanted to front-end any EAS traffic with a Sentry (short term plan until we go Google Account when it’s fixed in Core), could I lock access down?

Woody (eric.woodland@trust.tc)
2020-08-11 01:48:10

I know we did this many moons ago when MI and Sentry were fresh on the scene. I just can’t remember if that’s still an option inside the GSuite admin area.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-11 12:47:48

Interesting question - is anyone using Microsoft Teams with MobileIron Access? We are planing to roll this out - should I expect any problems?

Woody (eric.woodland@trust.tc)
2020-08-11 13:41:01

*Thread Reply:* @Mikey2000 Do you have other O365 products in use with Access? Can't say I've yet seen a cookbook specific to Teams.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-11 13:41:49

*Thread Reply:* No nothing yet..

David Johansson (david.johansson@outlook.com)
2020-08-11 15:30:26

*Thread Reply:* iOS or Android?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-11 15:30:59

*Thread Reply:* Yes, iOS and Android Enterprise

David Johansson (david.johansson@outlook.com)
2020-08-11 15:33:27

*Thread Reply:* Android Enterprise works strait out of the box, some quirks with split tunneling on iOS.

🙏 Mikey2000, Woody
👍 Woody
Mark Vonk (mark.vonk@dahvo.com)
2020-08-11 16:36:15

*Thread Reply:* There is no cookbook for Teams specifically. Use the cookbook for ADFS and Office365 instead. Assuming you have ADFS of course. There are no cookbooks on individual Office365 apps, just Office365 in general, which includes Teams, but all other Office365 apps too. So others like EOL, Sharepoint, etc will be dealt by Access too.

We had an issue before with Teams not working combined with Access. To fix that we had to enable forms based authentication for Teams.

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-08-11 15:06:20

Has anyone seen this - can‘t see any new updates on Sentry 9.8.1 and if I click check updates I receive this errors:

Almar Diehl (almar.diehl@blaud.com)
2020-08-11 16:02:47

*Thread Reply:* To which version are you expecting to upgrade? Since you are on 9.8.1 there are no upgrades. There is a 9.8.5 but that is not a version you can upgrade to, only fresh install.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-11 16:05:09

*Thread Reply:* Ahhh ok! That explains it! 🤣 thanks

Woody (eric.woodland@trust.tc)
2020-08-11 15:55:11

@Mikey2000 happen to have a visual on the CLI when it fails?

Woody (eric.woodland@trust.tc)
2020-08-11 15:55:28

Or if you invoke a softwareupdate on the CLI what does it return?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-12 13:44:04

I can’t delete apps on DEP enrolled devices even though I have no restrictions in place (MobileIron Core) - where does this setting come from? It is not normal behavior right?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-12 14:03:13

*Thread Reply:* Do you have an Homescreen layout setting?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-12 14:16:30

*Thread Reply:* Ah yes I have.. Is that gonna bite me in the a$$?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-12 14:17:56

*Thread Reply:* If users install private apps they should be able to delete them

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-12 14:53:08

*Thread Reply:* yes thats your problem, i think

👍 Woody
Raul (rnadal@mobileiron.com)
2020-08-12 18:48:36

*Thread Reply:* They can do from Device Settings / IPhone or iPad Storage but I agree on this is not good experience

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-08-12 18:54:45

*Thread Reply:* Good point, I didn’t know that - thanks 🙏

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-13 07:14:41

Android Enterprise connection from core doesn't work over outbound http proxy right?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-14 12:00:46

How do I have to use the Beta deployment option on labels with Core? I only see production in the dropdown menu when I try to attach the label to an app, no BETA. What am I missing here?

mahiroux (mhyb.mk@gmail.com)
2020-08-14 14:23:33

@Mikey2000 You need inform your MI account manager to whitelist your Organization ID.Once they have done that,you will see Alpha channel option under the dropdown while you assign the app(If Beta version is available) to a label.Docs@work 2.11 beta testing is going on.So you can inform MI team to include your organization ID as well.

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-08-14 14:26:19

*Thread Reply:* So the Beta option in the label is only visible when a developer adds our organizations ID within a Beta channel on GooglePlay?

mahiroux (mhyb.mk@gmail.com)
2020-08-14 14:28:46

*Thread Reply:* That is correct AFIK.

👍 Mikey2000
Mark Vonk (mark.vonk@dahvo.com)
2020-08-14 14:42:47

*Thread Reply:* Yes indeed, the devs adds your orgID. Then, after some time (could take some hours, up to a day), the alpha and beta channels show up.

🙏 Mikey2000
Woody (eric.woodland@trust.tc)
2020-08-17 14:46:14

Anyone know if Core supports SPLUNK Cloud? I see mentions of Enterprise, but was curious if I could plug in a Cloud indexer and achieve success?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-18 18:31:43

Mobile@Work has a button for enrollment via QR code. Is this related to Zero Sign-On or how can I leverage that?

Almar Diehl (almar.diehl@blaud.com)
2020-08-18 18:35:41

*Thread Reply:* You need to create a QR code for every single device registration and make it available to the end user. A collegue has created code that can be added to the enrollment template to automatically add a QR code to the registration mail and on screen info.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-18 18:38:55

*Thread Reply:* This sounds very interesting. So basically all the relevant info for enrollment needs to be in the QR code like userid or email, PIN or password.. Is your colleague using Web API call for this? This sounds great.

Almar Diehl (almar.diehl@blaud.com)
2020-08-18 18:39:42

*Thread Reply:* Yes, I Will post the code later on.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-18 18:40:08

*Thread Reply:* Thank you - you’re the best! 👍

Almar Diehl (almar.diehl@blaud.com)
2020-08-18 19:00:24

*Thread Reply:* Ah, even better, MobileIron added the solution my colleague came up with to this Knowledge item.

https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TSDVSA4

Extract:

Implementing infrastructure for QR code with device PIN The below procedure works for iOS devices and utilizes the PIN code as part of the registration. 1. Enable the PIN code registration

  1. Go to Settings > Users & Devices > Device Registration.
  2. Change the In-App registration requirement to Registration PIN. 2. Enable the QR code integration
  3. Go to Settings > Users & Devices > Device Registration.
  4. Click on Templates tab > Registration Templates.
  5. Select your language and then click the Edit button.
  6. In the Registration Email section, PIN field, replace the default text with this code: 
  7. <li>Registration PIN: <i>$PASSCODE$</i> (valid for $PASSCODE_TTL$ hours)
  8. <p>
  9. Or Scan the QR Code:
  10. </p>
  11. <P>
  12. <img id=&#39;barcode&#39;
  13. src=“https://api.qrserver.com/v1/create-qr-code/?data=mirp%3A%2F%2F$SERVER_URL$%26user%3D$USER_ID$%26pin%3D$PASSCODE$
  14. width=“200"
  15. height=“200” />
  16. </P>
  17. Click Save.
  18. When this code has been added, administrators can directly register a device from the Device Registration screen in Core and / or the device user can initiate the registration from the e-mail invitation.
👍 Ladislav Blazek
Mikey2000 (mscottscranton079@gmail.com)
2020-08-18 19:03:19

*Thread Reply:* 2020 is getting better every day 😜👏👏👍👍

Mikey2000 (mscottscranton079@gmail.com)
2020-08-18 19:20:36

*Thread Reply:* The part with mirp://.. confuses me.. we still need a webpage?

Almar Diehl (almar.diehl@blaud.com)
2020-08-18 19:28:27

*Thread Reply:* No, mirp is the schema used by the Mobile@Work cliënt. So the URL opens the M@W cliënt and adds the data supplied in the URL to the registration fields.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-18 19:29:10

*Thread Reply:* Gotcha... have to try this tomorrow! Thanks!

Mikey2000 (mscottscranton079@gmail.com)
2020-08-19 17:13:07

*Thread Reply:* Works like a charm. Is this also included in the M@W for Android?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-19 19:17:50

*Thread Reply:* Got it, is also in M@W for Android and works fine!

Almar Diehl (almar.diehl@blaud.com)
2020-08-20 13:03:19

Just a quick question: we are using certificate pinning in the MobileIron Tunnel app. I guess that when we renew the SLL certificates of our Sentry servers (which will need to be done more often thanks to Apple) we also need to apply the new certificate to the Tunnel app? Since we got over 30.000 devices we will see some errors during the process (every device needs to apply the new Tunnel config). Or should we temporarily disable certificate pinning?

Mark Vonk (mark.vonk@dahvo.com)
2020-08-20 13:22:50

*Thread Reply:* Yes. You will need to “view” the Sentry certificate from Core as it makes Core aware of the new cert. copy/paste the cert in the tunnel config and save to get a repush. Until the device gets the new tunnel config, it will fail to connect due to the mismatched certs. You could indeed disable pinning. But if the goal is to have certificate pinning enabled, I would not bother as it means you will have to repush the config multiple times.

👍 Mikey2000
Almar Diehl (almar.diehl@blaud.com)
2020-08-20 13:23:44

*Thread Reply:* Thanks for confirming Mark!

Mikey2000 (mscottscranton079@gmail.com)
2020-08-20 15:22:31

*Thread Reply:* Yes had already the pleasure of troubleshooting this!

Mikey2000 (mscottscranton079@gmail.com)
2020-08-20 15:21:37

If I change the in-app registration to PIN but the DEP profile uses Password, will this be a conflict or can we still use password for DEP enrollment?

AJ (ajorgensen@mobileiron.com)
2020-08-21 06:01:21

*Thread Reply:* Pretty sure DEP will use PIN

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 05:08:19

Is anyone using KCD with Web@Work and Docs@Work and has already switched to the new WebView? My SSO Configuration is somehow not correct because it is not working. Can someone share me screenshots of a working configuration? Specially the VPN, the SSO and the SCEP for renewal and the Label attachment.

Almar Diehl (almar.diehl@blaud.com)
2020-08-21 07:56:29

*Thread Reply:* We have KCD working in W@W and D@W with WkWebView. However, without the SCEP renewal (so users have to enter their password once a day).

Hard to supply screenshot due to the nature of the company, so if you can supply your screenshots I can compare them.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 07:58:10

*Thread Reply:* Ok that would be fine. If you find some time could you share your configs? It is not working at all for us and I compared the configs with MobileIron Docs but was not able to find the error.

Almar Diehl (almar.diehl@blaud.com)
2020-08-21 07:59:03

*Thread Reply:* I edited my reply (hit the enter button to soon). Hard to supply screenshots.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 07:59:33

*Thread Reply:* Ok will do! Thanks

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 08:27:55
Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 08:28:26

*Thread Reply:* W@W

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 08:28:41

*Thread Reply:* SSO

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 08:29:05

*Thread Reply:* SCEP for SSO

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 08:29:22

*Thread Reply:* Everything is attached to the same label

Almar Diehl (almar.diehl@blaud.com)
2020-08-21 08:33:44

*Thread Reply:* I think your SSO config is wrong. In the username field you have $USERID$, this should the kerberos principal name.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 08:35:06

*Thread Reply:* You mean NT principal instead of the userid?

Almar Diehl (almar.diehl@blaud.com)
2020-08-21 08:48:21

*Thread Reply:* No, I mean the actual name of the account that has been created that has the right to fetch the kerberos ticket on behalf of the user.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 09:06:40

*Thread Reply:* Are you sure?

Almar Diehl (almar.diehl@blaud.com)
2020-08-21 09:42:20

*Thread Reply:* Sorry, I was looking at a wrong, not working, configuration in the test-environment. $USERID$ is correct. But in your SCEP configuration I see that you use $USER_UPN$ for the Subject Alternative Names. According to the documentation this should be $EMAIL$.

Almar Diehl (almar.diehl@blaud.com)
2020-08-21 09:48:00

*Thread Reply:* B.t.w. since you are using a local CA, is this CA ‘known’ by your AD servers?

If Local CA: • Requires trust between MI local CA and KDC • Follow directions in below KB entitled How to force KDC to trust local CA: • https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TUMpSAO

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 09:48:56

*Thread Reply:* Core was integrated as a SubCA within our Microsoft PKI

Almar Diehl (almar.diehl@blaud.com)
2020-08-21 09:52:10

*Thread Reply:* In your SSO config, set the Identity Certificate to None for testing purposes. You should then just be prompted for your password. And otherwise, enable level 3 or 4 logging on the Sentry server and see if there are any errors there.

Mikey2000 (mscottscranton079@gmail.com)
2020-08-21 09:52:55

*Thread Reply:* Good point, thanks! I will give it a try and keep you posted.

Marco Nielsen (MarcoNielsen@msn.com)
2020-08-21 06:43:18

@Marco Nielsen has joined the channel

Marco Nielsen (MarcoNielsen@msn.com)
2020-08-21 06:44:47

Bloomberg reporting that MobileIron possibly going up for sale: https://www.bloomberg.com/news/articles/2020-08-20/software-company-mobileiron-is-said-to-explore-potential-sale

Bloomberg.com
🤔 Woody
😳 Mikey2000
👏 Caryn
Mikey2000 (mscottscranton079@gmail.com)
2020-08-23 20:25:13

*Thread Reply:* This is interesting... or frightening.. not sure yet!

Suresh Gopi Kolluri (kollurisureshgopi73@gmail.com)
2020-08-22 17:12:19

@Suresh Gopi Kolluri has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-08-24 06:52:23

Third party MDMs can soon be used with Intune and Conditional Access - currently only WS1 in the list. Can anyone tell me when this is coming for MobileIron Core?

https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#set-device-compliance-state-from-third-party-mdm-providers

docs.microsoft.com
AJ (ajorgensen@mobileiron.com)
2020-08-24 08:17:39

*Thread Reply:* It’s unfortunate that MS essentially paywalled the old API - in any case, Core is expected to have this very very soon. Chat to your account rep if you want to enquire about the beta

🙏 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-08-24 20:21:51

*Thread Reply:* Core 10.8 should be released in the second week of September. Not sure if this feature was implemented though

Mikey2000 (mscottscranton079@gmail.com)
2020-08-26 06:52:37

We started a while back before iFrame was available in Core to deploy inhouse apps for Android Enterprise devices via Google Console. Now that the iFrame integration on Core is pretty cool, is there a way to bring the existing inhouse app into the iFrame view on Core so we could do the update management from there? Currently we don‘t see the app there.

Raul (rnadal@mobileiron.com)
2020-08-26 12:07:18

*Thread Reply:* You have to share the apps uploaded to dev account with iFrame account Google Enterprise ID.

Raul (rnadal@mobileiron.com)
2020-08-26 12:07:39

*Thread Reply:* From dev console

Mikey2000 (mscottscranton079@gmail.com)
2020-08-26 12:19:48

*Thread Reply:* You mean upload the APK again? But the package name will exist within Google Play already

Matt Dermody (jmdermody@gmail.com)
2020-08-26 14:24:44

*Thread Reply:* No you’ll have to assign it from one to the other via the Org ID

Matt Dermody (jmdermody@gmail.com)
2020-08-26 14:25:30

*Thread Reply:* it will still be primarily housed in the original location but you will be able to have visibility to it through the iFrame once it is shared with the org ID associated with that iFrame

Matt Dermody (jmdermody@gmail.com)
2020-08-26 14:25:31

*Thread Reply:* https://arsenb.wordpress.com/2020/07/01/how-to-publish-an-app-to-customers-managed-play-store-with-android-enterprise/

Arsen Bandurian: Technical Blog
} apcsb (https://arsenb.wordpress.com/author/apcsb/)
Matt Dermody (jmdermody@gmail.com)
2020-08-26 14:25:45

*Thread Reply:* arsen covers this process fairly well

Mikey2000 (mscottscranton079@gmail.com)
2020-08-26 14:26:02

*Thread Reply:* Ah wow thanks I will look into that

fridomac (fridomac@googlemail.com)
2020-08-27 07:24:01

Is it normal behaviour that when we send out a large number of push notifications (to iOS devices, e. G. that an update to iOS is available), a lot of devices will never get that Notification? Is it a problem on the Core side or more on the device side?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-27 08:36:40

*Thread Reply:* this is a known issue at Core. make little groups or use mail notification instead.

:thanks: fridomac
fridomac (fridomac@googlemail.com)
2020-08-27 11:15:50

*Thread Reply:* Ok, thank you, we will split the messages into smaller groups, then....

fridomac (fridomac@googlemail.com)
2020-08-27 11:58:12

*Thread Reply:* @Wolfgang Bauer is there a Issue number or something we can refer to to get this issue fixed? Or just something learned from experience 😉

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-27 11:59:47

*Thread Reply:* its an known issue by asking MI. I dont have an Issue ID and dont know an KB article. Open an Ticket 😉

fridomac (fridomac@googlemail.com)
2020-08-27 12:22:41

*Thread Reply:* Will do that, that´s why I asked...:-)

👍 Wolfgang Bauer
Mikey2000 (mscottscranton079@gmail.com)
2020-08-28 19:28:09

Anyone seen the new Gartner Magic Quadrant? MI dropped out of the leaders! Thoughts?

Mikey2000 (mscottscranton079@gmail.com)
2020-08-29 21:11:45

*Thread Reply:* Ok I’ll start.. Sure this might be related mostly because of Windows 10, which is not huge with MobileIron. But this will make it hard or even impossible to make the argument that MobileIron is way more superior than Intune, which I still believe is the case in so many ways! You may think what you want about Gartner, but I believe this is pretty much the first nail in the coffin for every admin who is fighting the war on the field day by day preventing migrations from MobileIron to Intune.

👍 Caryn
Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-08-31 06:57:33

*Thread Reply:* Its the magic quadrant of windows management. They reframed the criteria (towards windows management). So there are only a few vendors in the race. the only way to keep the quadrant was to shift positions, which was done bad I think..

👍 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-08-31 10:31:45

*Thread Reply:* Hi, Gartner have added a lot of weight to VDI scenarios where Microsoft and VMware are strong and where Mobileiron have nothing at the moment. This is one of the biggest reason why we are here.

  • legacy Windows 7 management is more important than expected
👍 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-08-31 10:33:41

*Thread Reply:* Also this year due to COVID-19 Gartner didn’t took feedback from customers like other times, which was a big miss in our case as our customers are our best asset 😍 (proof point is Gartner peer insight)

👍 Mikey2000
AJ (ajorgensen@mobileiron.com)
2020-09-01 07:18:13

*Thread Reply:* This quadrant is weighted very heavily on VDI and Windows 10. It doesn’t reference Intune specifically, rather MEM and the data should be taken as such. I see a lot of spruikers on LinkedIn talking about their amazing foresight, when they’re basically asleep at the wheel and can be replaced by any other mindless MSP that recommends MS without taking into consideration business requirements, as demonstrated by their lack of understanding (or wilful misrepresentation) of this data. Neither product is better or worse than it was prior to the quadrant announcement and as usual, make a business case and measure requirements before making a decision.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-08-31 11:11:51

Can I change an existing LDAP configuration on Core from LDAP(389) to LDAPS(636) without impact or should I create a new configuration for LDAPS?

Almar Diehl (almar.diehl@blaud.com)
2020-08-31 11:13:26

*Thread Reply:* Yes you can, no problem.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-08-31 11:22:06

*Thread Reply:* Thanks 🙏🙏

Mikey2000 (mscottscranton079@gmail.com)
2020-09-01 09:44:09

I need to create a report from Core how many devices have no passcode - for iOS there is the property„passcode present“.. what about Android devices? Can’t find anything useful!

Almar Diehl (almar.diehl@blaud.com)
2020-09-01 10:27:53

*Thread Reply:* If you require your users to change the passcode every x days you can use the following filter:

"common.platform" = "Android" AND "android.prvpasswordexpiration_timeout" = null

Mikey2000 (mscottscranton079@gmail.com)
2020-09-01 10:50:01

*Thread Reply:* The problem is we had an issue with a label so a lot of devices didn’t receive the security policy where a passcode was enforced. They received the default security policy with optional passcode. So we just want to know how many devices have no passcode set!

Raul (rnadal@mobileiron.com)
2020-09-01 13:52:49

*Thread Reply:* When there’s no passcode, encryption is disabled

Raul (rnadal@mobileiron.com)
2020-09-01 13:53:01

*Thread Reply:* so you can use that attribute on filter

Mikey2000 (mscottscranton079@gmail.com)
2020-09-01 14:02:43

*Thread Reply:* This is also the case for Android device admin and Android Enterprise?

Raul (rnadal@mobileiron.com)
2020-09-01 16:11:34

*Thread Reply:* Umm, not sure

Almar Diehl (almar.diehl@blaud.com)
2020-09-01 16:53:46

*Thread Reply:* Most modern Android devices have encryption enabled out of the box.

Almar Diehl (almar.diehl@blaud.com)
2020-09-02 12:56:28

Anyone using a Managed App Config (plist) that installs a SCEP certificate for the app? Certificate will be used for certificate based authentication to a backend server Just wondering how to setup the SCEP certificate in the plist file. Should the following work?

<key>usercertificate</key> <string>$CERT_ALIAS:[SCEP CERT NAME]$</string>

😎 Thomas B.
Florent N. (Florent.NOSARI@econocom.com)
2020-09-03 20:40:14

Hello, will Web@Work be available for AE ?

Mathieu Beaugrand (beaugrandma@gmail.com)
2020-09-03 23:34:32

*Thread Reply:* W@W is not available for AE, MI decided to use chrome instead as essentially almost everything that you could do with W@W can be achieved with Chrome and AppConfig.

Florent N. (Florent.NOSARI@econocom.com)
2020-09-04 12:46:26

*Thread Reply:* Hello Mathieu, I was just wondering if it was newly added to AE because the screenshot said that it is available on the Google Play

Tim (tim.struik@blaud.com)
2020-09-04 16:00:15

@Tim has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-09-07 17:41:25

WKWebview deprecation - why do we have to choose no identity certificate in the W@W config when using Tunnel and the new WKWebview? (MI Core 10.7.0.0)

Raul (rnadal@mobileiron.com)
2020-09-07 17:46:29

*Thread Reply:* If you just need to replace AppTunnel to Tunnel to Connect, then you don’t need to add a cert to authenticate to Sentry.

Raul (rnadal@mobileiron.com)
2020-09-07 17:46:47

*Thread Reply:* So just apply per-app VPN, add the KVP and apply iOS SSO

Raul (rnadal@mobileiron.com)
2020-09-07 17:47:02

*Thread Reply:* Then you will have the same passwordless experience and connectivity

Raul (rnadal@mobileiron.com)
2020-09-07 17:47:36

*Thread Reply:* For the connectivity, Tunnel will present its own cert in order to connect to Sentry

Raul (rnadal@mobileiron.com)
2020-09-07 17:49:04

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-09-07 17:52:15

*Thread Reply:* Thanks Raul! Yes that is exactly how my configuration looks, but I Still have some difficulties with this - SSO won’t work.

Mikey2000 (mscottscranton079@gmail.com)
2020-09-07 17:52:29

*Thread Reply:* Will have to look deeper into this

Mikey2000 (mscottscranton079@gmail.com)
2020-09-07 17:53:03

*Thread Reply:* No rules within the W@W config would tunnel everything thru sentry right?

Mikey2000 (mscottscranton079@gmail.com)
2020-09-07 17:53:51

*Thread Reply:* I have enabled the VPN within the W@W app to trigger, but I don‘t see the VPN sign like I do with safari

Raul (rnadal@mobileiron.com)
2020-09-08 10:28:31

*Thread Reply:* ah, because you have to send a command to reinstall the app on all devices so the Per-App VPN flag is applied. It’s only added during app installation.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-09-08 12:57:52

*Thread Reply:* Thanks - solved it! 🍺

Mikey2000 (mscottscranton079@gmail.com)
2020-09-08 12:57:08

Hey does that get triggered for users on MobileIron Core?

NicolasR (raison_nicolas@me.com)
2020-09-08 15:17:34

*Thread Reply:* user based VPP 🙂

Raul (rnadal@mobileiron.com)
2020-09-08 15:18:08

*Thread Reply:* better use Device based VPP

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-09-08 15:19:30

*Thread Reply:* Oh really.. someone must have chosen this wrong. Any chance I can find out quickly which app was chosen for user based VPP without going through every app?

NicolasR (raison_nicolas@me.com)
2020-09-08 15:20:05

*Thread Reply:* apart from browsing the database I don’t think

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-09-08 15:21:57

*Thread Reply:* Yeah, I don’t know if it will prompt you to accept it for each app that is set as User Based

👍 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-09-08 15:22:45

*Thread Reply:* Thanks guys! 🙏

🍻 Raul
Mikey2000 (mscottscranton079@gmail.com)
2020-09-09 20:12:17

*Thread Reply:* We are still receiving prompts on a lot of devices even though we found the app that caused it and changed it to device-based license. Any caches we need to clean?

NicolasR (raison_nicolas@me.com)
2020-09-10 08:12:26

*Thread Reply:* probably that you have another app in that config

Mikey2000 (mscottscranton079@gmail.com)
2020-09-10 08:13:52

*Thread Reply:* We went through every app, everything device-based. But we have a couple of apps in different device spaces - maybe there is a mismatch

Almar Diehl (almar.diehl@blaud.com)
2020-09-09 09:24:25

Anyone using HCL Sametime (formerly IBM Chat) in combination with Per-App VPN? For some reason VPN is not automatically starting when the app is launched. When manually starting VPN the app works OK.

Thomas B. (tbosboom@apple.com)
2020-09-17 08:00:51

*Thread Reply:* I think iOS 14 has some enhancements to triggering per-app VPN; would you happen to have tested in 14?

Mikey2000 (mscottscranton079@gmail.com)
2020-09-10 10:47:34

Are there plans to support .pkpass extension (Apple Wallet) for Email+?

NicolasR (raison_nicolas@me.com)
2020-09-10 13:28:19

*Thread Reply:* A feature request is opened but no real progress for now, don’t expect 2020: PREQS-452

NicolasR (raison_nicolas@me.com)
2020-09-10 13:28:33

*Thread Reply:* feel free to reach PMs about that 🙂

Mikey2000 (mscottscranton079@gmail.com)
2020-09-10 13:33:09

*Thread Reply:* Thank you 🙏🙏

Mikey2000 (mscottscranton079@gmail.com)
2020-09-10 16:08:46

If this is enabled a user cannot add and remove accounts - for Work Profile that means that a user cannot add accounts within the work profile, right? Within the private profile he still can, right? (MobileIron Core)

Raul (rnadal@mobileiron.com)
2020-09-10 16:13:45

indeed

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-09-10 16:33:48

Are there any videos of MobileIron MTD of like phishing protection and how it looks like in action? Could not find a lot on the knowledge base. Thanks!

NicolasR (raison_nicolas@me.com)
2020-09-10 22:14:55

*Thread Reply:* iOS?

NicolasR (raison_nicolas@me.com)
2020-09-10 22:15:50

*Thread Reply:* Just recorded on my device (sorry it’s in French)

👍 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-09-10 22:17:14

*Thread Reply:* Otherwise more official videos are here

https://www.youtube.com/c/mobileiron

YouTube
👍 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-09-11 09:18:23

*Thread Reply:* Thanks, great videos! Can MTD als help with use case that a virus scanner would do, like if a user opens an attachment on the device which contains a threat or if the user wants to store that attachment on the device?

Tohsheen (tbazaz@mobileiron.com)
2020-09-16 21:55:43

*Thread Reply:* i would say, yes. I am not a MTD expert

NicolasR (raison_nicolas@me.com)
2020-09-18 18:06:24

*Thread Reply:* @Stefan Feicke ☝️

Stefan Feicke (greatwhiteshark2@icloud.com)
2020-09-19 14:21:31

*Thread Reply:* VIrus scanners are comparing files based on their hashes. Having a malicious app or a doc containing weird code does not pose a risk per se. Based on the fact that depending on the platform filesystem based scans can not be performed due to lack of permissions and/or sandboxing concepts, such scans simply can not happen because of this limitation. MTD uses AI trained engines to detect anormal behavior on the device compared against expected normal behavior.

🍻 NicolasR, Mikey2000
Tohsheen (tbazaz@mobileiron.com)
2020-09-22 21:09:06

*Thread Reply:* Yes, that makes sense. I think i assumed someone was executing malware sourced from a file

Mikey2000 (mscottscranton079@gmail.com)
2020-09-15 07:20:38

The new versions of W@W and D@W for WKwebview only are scheduled for release today - not there yet - any idea when this will happen?

NicolasR (raison_nicolas@me.com)
2020-09-15 09:40:46

*Thread Reply:* They were pushed to 9/21 as far as I remember

Mikey2000 (mscottscranton079@gmail.com)
2020-09-15 09:41:59

*Thread Reply:* So not today? On september 21?

NicolasR (raison_nicolas@me.com)
2020-09-15 09:42:27

*Thread Reply:* I think I saw that somewhere

NicolasR (raison_nicolas@me.com)
2020-09-15 09:44:19

*Thread Reply:* confirmed that this is the current plan

👍 Mikey2000
NicolasR (raison_nicolas@me.com)
2020-09-15 09:44:46

*Thread Reply:* by the way the beta is out

👍 Mikey2000
Jason (jasonh@bridgeway.co.uk)
2020-09-15 10:10:16

*Thread Reply:* <minor rant> I wish people would use dd/mm by default, or failing that, the ISO standard of yyyy/mm/dd … </minor rant> 🙂

🤣 Mikey2000
😄 NicolasR, Mark Vonk
Mikey2000 (mscottscranton079@gmail.com)
2020-09-21 17:28:51

*Thread Reply:* Still no new version. What’s going on?

NicolasR (raison_nicolas@me.com)
2020-09-22 12:45:36

*Thread Reply:* waiting for review

NicolasR (raison_nicolas@me.com)
2020-09-22 12:45:46

*Thread Reply:* at the Apple AppStore

Raul (rnadal@mobileiron.com)
2020-09-15 07:44:14

It will be very soon but remember that Apple is not a fast releasing company

👍 Woody, Mikey2000
macbentosh (benbergthold@gmail.com)
2020-09-17 03:22:56

Just had another admin Send an install request to ALL. how do I stop it!

Tohsheen (tbazaz@mobileiron.com)
2020-09-17 08:31:09

*Thread Reply:* hope it was not TikTok app 😛

🤣 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-09-18 09:24:21

Can anyone tell me how the XML file should look like with a Managed App Config for iOS? (MI Core)

Almar Diehl (almar.diehl@blaud.com)
2020-09-18 11:24:16

*Thread Reply:* Something like:

<managedAppConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <version>1</version> <bundleId>com.adobe.Adobe-Reader</bundleId>

🙏 Mikey2000
👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-09-18 11:53:43

*Thread Reply:* Thanks.. I used a key tag for this..

Mikey2000 (mscottscranton079@gmail.com)
2020-09-18 16:36:48

*Thread Reply:* Thanks, worked like a charm thanks to your hint

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-09-18 11:54:35

Real Time Push Notifications with Exchange Online - will this work, or the better question: is this supported?

Clark (76clark@gmail.com)
2020-09-20 14:07:04

*Thread Reply:* Yes, you can do RTN for Office 365

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-09-20 14:27:25

*Thread Reply:* Of course with Sentry, right? Is there a documentation for this?

Mikey2000 (mscottscranton079@gmail.com)
2020-09-20 14:27:50

*Thread Reply:* Because ENS states O365 is not supported

Stefan Feicke (greatwhiteshark2@icloud.com)
2020-09-18 18:06:27

@Stefan Feicke has joined the channel

JaR3 (reesemachine@gmail.com)
2020-09-21 15:13:59

@JaR3 has joined the channel

Woody (eric.woodland@trust.tc)
2020-09-21 21:00:13

Has anyone upgraded Core to 10.8? Any issues to report? Need to get it into PROD to support the new Google Account on iOS.. but typically wait until there is a .1 update to resolve any issues.

Mark Vonk (mark.vonk@dahvo.com)
2020-09-22 06:03:59

*Thread Reply:* In test (4 Cores in total) it is working fine. No production upgrades yet though.

👍 NicolasR, Woody
NicolasR (raison_nicolas@me.com)
2020-09-22 08:32:48

*Thread Reply:* @Pierre FYI 👆

Fabian (mobilxperts@neokortex.de)
2020-09-23 15:39:40

*Thread Reply:* Some hundred Cores upgraded to 10.8 - No issues yet

✅ Woody, NicolasR
Woody (eric.woodland@trust.tc)
2020-09-23 17:17:06

*Thread Reply:* @Fabian you’re a rockstar!

Pierre (pierre.tabanous@digitaldimension.fr)
2020-09-25 08:08:21

*Thread Reply:* yes, thanks :)

Mikey2000 (mscottscranton079@gmail.com)
2020-09-23 05:17:06

Microsoft Tunnel? Wow, very intuitive name! Sounds like copyright infringement to me 🤣

https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/introducing-microsoft-tunnel-for-remote-access-to-corporate/ba-p/1685044

TECHCOMMUNITY.MICROSOFT.COM
Raul (rnadal@mobileiron.com)
2020-09-23 07:12:44

*Thread Reply:* Yeah, and WMware did the same

Raul (rnadal@mobileiron.com)
2020-09-23 07:12:51

*Thread Reply:* with Access

Mikey2000 (mscottscranton079@gmail.com)
2020-09-23 07:13:27

*Thread Reply:* Really? WS1 Access?

Raul (rnadal@mobileiron.com)
2020-09-23 07:14:29

*Thread Reply:* https://www.vmware.com/products/workspace-one/access.html

VMware
Almar Diehl (almar.diehl@blaud.com)
2020-09-23 08:07:39

*Thread Reply:* Since we need a Linux server to run MS Tunnel, could we install MS Tunnel on a MI Sentry server 😂

🤣 Mikey2000, NicolasR, Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-09-23 08:38:25

*Thread Reply:* Good idea 😜👍

Jason (jasonh@bridgeway.co.uk)
2020-09-23 10:17:21

*Thread Reply:* How much longer before MobileIron takes them to court for copyright infringement, anti-competitive practices and patent infringements?

☝️ Mikey2000
NicolasR (raison_nicolas@me.com)
2020-09-23 10:19:39

*Thread Reply:* They also copied MobileIron Rooms! https://techcommunity.microsoft.com/t5/exchange-team-blog/book-a-workspace-in-outlook/ba-p/1524560 #onlyDinausorsKnow 😎

TECHCOMMUNITY.MICROSOFT.COM
Mikey2000 (mscottscranton079@gmail.com)
2020-09-23 10:20:51

*Thread Reply:* MI Rooms is still available?

NicolasR (raison_nicolas@me.com)
2020-09-23 10:21:06

*Thread Reply:* HOPEFULLY NO 😂

🤣 Mikey2000, Jason, Woody
Paul Conaty (pconaty@cwsi.ie)
2020-09-23 11:52:27

*Thread Reply:* WS1 Tunnel, MI Tunnel, MS Tunnel. Its a synonym for VPN these days

Mikey2000 (mscottscranton079@gmail.com)
2020-09-23 11:55:26

*Thread Reply:* As long as they don’t call it Microsoft MobileIron Tunnel..

😂 Raul, Jason
Raul (rnadal@mobileiron.com)
2020-09-23 12:03:38

*Thread Reply:* WS1 changed the product name to Tunnel long time after MI released the product.

Mikey2000 (mscottscranton079@gmail.com)
2020-09-28 07:04:35

We need to renew our external certificate for Core and Sentry. The new shorter certificate lifetime requirement for iOS 14, is this also required here?

Almar Diehl (almar.diehl@blaud.com)
2020-09-28 07:13:54

*Thread Reply:* Yes.

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-09-28 07:32:37

*Thread Reply:* Well this just sucks.. thanks!

Almar Diehl (almar.diehl@blaud.com)
2020-09-28 07:49:58

*Thread Reply:* It sure does suck. And it can get worse because there are ideas of lowering the lifetime to 98 days.

😳 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-09-28 07:56:44

*Thread Reply:* But this does not affect user certificate that we use for KCD right?

Almar Diehl (almar.diehl@blaud.com)
2020-09-28 08:03:33

*Thread Reply:* No, those are save 🙂

👍 Mikey2000
Almar Diehl (almar.diehl@blaud.com)
2020-09-28 08:04:04

*Thread Reply:* But then again, those would be the ones that are easy to (automatically) renew.

Mikey2000 (mscottscranton079@gmail.com)
2020-09-28 08:04:25

*Thread Reply:* Yes, you are right!

Almar Diehl (almar.diehl@blaud.com)
2020-09-28 11:36:39

MobileIron acquired by Ivanti!

Mikey2000 (mscottscranton079@gmail.com)
2020-09-28 11:36:40

So, MobileIron was bought by Ivanti. Not sure what to think of this! 🤔

https://www.mobileiron.com/en/company/press-room/press-releases/mobileiron-to-be-acquired-by-ivanti

Mobileiron.com
🤔 Matt Dermody
Paul Conaty (pconaty@cwsi.ie)
2020-09-28 11:41:54

*Thread Reply:* Interesting that PulseSecure was also picked up. Ivanti looking to build a suite of endpoint management, security, and connectivity. Makes sense as thats where WS1, Symantec, Microsoft etc are all going

✅ Woody
Jason (jasonh@bridgeway.co.uk)
2020-09-28 12:31:42

*Thread Reply:* Initial thoughts: I like the Pulse Secure co-acquisition, there’s a lot of strength in that approach, which could lead to a great combination in many customer deployments.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2020-09-28 12:32:53

*Thread Reply:* My most immediate questions would be around Ivanti’s previous track record in their earlier acquisitions, their go-to-market model, and their planned execution of their vision.

👍 Woody, Jay
Jason (jasonh@bridgeway.co.uk)
2020-09-28 12:33:00

*Thread Reply:* Time will tell…

➕ NicolasR, Woody
Marco Nielsen (MarcoNielsen@msn.com)
2020-09-28 14:12:35

*Thread Reply:* Agreed, Ivanti is definitely trying to build up a strong offering, but will need a strong execution.

👍 Woody, Mikey2000
Woody (eric.woodland@trust.tc)
2020-09-28 21:18:11

*Thread Reply:* I think MobileIron's suite of offerings will make a nice pairing with what Ivanti is bringing to the table. As much as I hate to say it, I've felt that things plateaued after the release of Access. Here's hoping the relationship jives and takes things to the next level for everyone involved!

👍 Mikey2000, Caryn, Jason
Mikey2000 (mscottscranton079@gmail.com)
2020-09-28 21:45:49

*Thread Reply:* The interesting part is how and if this will affect current MobileIron licenses in terms of features - and vice versa. And it also might be the case that the brand name „MobileIron“ will disappear - would do you think?

Woody (eric.woodland@trust.tc)
2020-09-28 22:24:30

*Thread Reply:* @Mikey2000 My guess that they just absorb everything and leave it as-is (perhaps for 1-2 years). Then start to rebrand/re-align/etc

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-09-29 07:12:35

*Thread Reply:* Lets make some bets! 😜

😆 Woody
mahiroux (mhyb.mk@gmail.com)
2020-09-28 13:51:07

Are there any mobileiron documents available on how to enable KCD for docs@work?

NicolasR (raison_nicolas@me.com)
2020-09-28 13:53:08

*Thread Reply:* ios?

mahiroux (mhyb.mk@gmail.com)
2020-09-28 13:56:41

*Thread Reply:* Yes

NicolasR (raison_nicolas@me.com)
2020-09-28 13:58:50

*Thread Reply:* forget about KCD, iOS doesn’t support UIWebView anymore which allowed us to do KCD. Use iOS SSO payload with Kerberos

Raul (rnadal@mobileiron.com)
2020-09-28 14:08:44

*Thread Reply:* For CIFS and for SharePoint when FBA and webview is disabled, KCD still works

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-09-28 14:08:54

*Thread Reply:* On D@W

👍 Mikey2000
Florent N. (Florent.NOSARI@econocom.com)
2020-09-28 15:56:36

Hello, is it possible to use PIN registration with KME on Cloud ? It keeps asking for password and failed to register.

Raul (rnadal@mobileiron.com)
2020-09-28 16:08:04

*Thread Reply:* Are you specifying a MDM URI?

Raul (rnadal@mobileiron.com)
2020-09-28 16:08:07

*Thread Reply:* If so, don’t do

Raul (rnadal@mobileiron.com)
2020-09-28 16:08:32

*Thread Reply:* this way you will ensure that Go only prompts for username, and then redirection happens

Florent N. (Florent.NOSARI@econocom.com)
2020-09-28 16:08:58

*Thread Reply:* Thank you, good to know

Raul (rnadal@mobileiron.com)
2020-09-28 16:09:02

*Thread Reply:* It’s the same as when using an IdP to login to MI Cloud

Florent N. (Florent.NOSARI@econocom.com)
2020-09-28 16:36:03

*Thread Reply:* My bad... RTFM to me

ytakamura (ytakamura@yourinventit.com)
2020-09-29 06:00:08

@ytakamura has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-09-29 13:31:11

I want to create a label for Exchange users which have already been migrated to Exchange Online. I know there is an Active Directory property that shows if the mailbox is hosted Online or On-Prem. I forgot it, does anyone know this? Is it msExchRemoteRecipientType = 4

Mark Vonk (mark.vonk@dahvo.com)
2020-09-29 13:34:05

https://oddytee.wordpress.com/2018/06/11/attributes-change-for-an-ad-user-a-mailbox-is-moved-to-exo/

ODDYTEE
} Todd Nelson (https://oddytee.wordpress.com/author/oddytee/)
🙏 Mikey2000
Peter Mohr (pm@conscia.com)
2020-09-29 14:24:12

I use these values for Exchange Online: (&(objectCategory=person)(|(msExchRecipientTypeDetails=2147483648)(msExchRecipientTypeDetails=8589934592)(msExchRecipientTypeDetails=17179869184)(msExchRecipientTypeDetails=34359738368)))

And these for on-prem: (&(objectCategory=person)(|(msExchRecipientTypeDetails=1)(msExchRecipientTypeDetails=2)(msExchRecipientTypeDetails=4)(msExchRecipientTypeDetails=16)(msExchRecipientTypeDetails=32)(msExchRecipientTypeDetails=128)))

👏 Woody
👍 Mikey2000
Jason (jasonh@bridgeway.co.uk)
2020-09-29 17:15:39

*Thread Reply:* @Steve Hayton FYI?

Nick (nickdiaz@gmail.com)
2020-09-30 14:14:40

*Thread Reply:* @Peter Mohr Using a MI Core that has users on multiple M365 tenants, I'm working on a similar label to selectively apply a mail config to users whose mailboxes have migrated. I see that the values you listed are in this article: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/recipient-type-values/7c2620e5-9870-48ba-b5c2-7772c739c651 My concern is that I would need the MI label to ascertain both that the user's mailbox has migrated, and to which tenant. So rhetorically, I'm wondering if I need to combine msExchRecipientTypeDetails and targetAddress.

Peter Mohr (pm@conscia.com)
2020-09-30 14:21:02

*Thread Reply:* Why do you care about tenants? For mail and app configure it’s all the same for all tenants

Nick (nickdiaz@gmail.com)
2020-09-30 14:23:13

*Thread Reply:* Agreed that in most cases, it would be. But I'm afraid that in this case, the M365 tenant destinations are not the same.

Nick (nickdiaz@gmail.com)
2020-09-30 14:25:25

*Thread Reply:* But I guess that gets too complicated. Simpler question: Do you mean that you used msExchRecipientTypeDetails in your MI labels?

Woody (eric.woodland@trust.tc)
2020-09-29 19:12:09

FYI // This is being addressed in Core HotFix 10.8.0.0a

} Eric Woodland (https://mobilxperts.slack.com/team/U70Q65NQY)
👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-09-29 20:28:03

Excuse me, but am I the only one? I don’t get it! Is that supposed to be funny or rather serious?

Woody (eric.woodland@trust.tc)
2020-09-29 20:32:53

My guess is they're showing how Avanti took the fast track into the magic quadrant?

➕ JaR3
🤣 Caryn, Jason
Mikey2000 (mscottscranton079@gmail.com)
2020-09-29 20:41:01

*Thread Reply:* Yes that would be my guess too! And I like your word association - Avanti! 🤣

😆 Woody
Raul (rnadal@mobileiron.com)
2020-09-29 23:58:54

*Thread Reply:* Gartner gave a lot of importance to areas like old client management and VDI this year

Raul (rnadal@mobileiron.com)
2020-09-29 23:59:12

*Thread Reply:* MI don’t provide those features, hence the movement

Raul (rnadal@mobileiron.com)
2020-09-29 23:59:37

*Thread Reply:* Check Forrester Wave Quadrant to find what I mean

👍 Woody
Raul (rnadal@mobileiron.com)
2020-09-30 00:00:13

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-09-30 08:56:29

MobileIron Core - Provisioning Port 8080 - this is default, right? Where can this be changed to 443? Any device impact after changing it to 443?

Raul (rnadal@mobileiron.com)
2020-09-30 09:08:21

*Thread Reply:* if you see 8080 this means this Core was built a long time ago

Raul (rnadal@mobileiron.com)
2020-09-30 09:08:28

*Thread Reply:* Now only 443 is allowed

👍 Woody
Raul (rnadal@mobileiron.com)
2020-09-30 09:08:42

*Thread Reply:* You can change that port from MICS portal / Settings / Port Settings

Raul (rnadal@mobileiron.com)
2020-09-30 09:10:06

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-09-30 09:14:38

*Thread Reply:* Right, I see the same option like you posted. Core was built a long time ago. How can I verify if we still use 8080 or 443? I see 8080 only with the CRL

Raul (rnadal@mobileiron.com)
2020-09-30 09:19:45

*Thread Reply:* well, what the note say?

Raul (rnadal@mobileiron.com)
2020-09-30 09:19:48

*Thread Reply:* 😂

Mikey2000 (mscottscranton079@gmail.com)
2020-09-30 09:20:41

*Thread Reply:* Right.. 🤣

Mikey2000 (mscottscranton079@gmail.com)
2020-09-30 09:21:49

*Thread Reply:* And changing the CRL from 8080 to 443, any impact for devices. I guess local CAs will renew certificates?

NicolasR (raison_nicolas@me.com)
2020-09-30 09:29:33

*Thread Reply:* a CRL on HTTPS doesn’t really makes sense because you need to check another CRL to verify your CRL...

Mikey2000 (mscottscranton079@gmail.com)
2020-09-30 09:32:52

*Thread Reply:* Right.. but to use 8080 was flagged as a security risk by an audit company.

Jere Jutila (jere.jutila@miradore.com)
2020-09-30 15:06:45

@Jere Jutila has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-10-03 21:06:43

I am looking for useful Powershell scripts which leverage RestAPI for MobileIron Core. Does anyone want to share useful scipts - could be a helpful thread to push MobileIron Core

NicolasR (raison_nicolas@me.com)
2020-10-05 07:56:43

*Thread Reply:* Found that: http://rikka.se/?q=node/12

👍 Mikey2000
mahiroux (mhyb.mk@gmail.com)
2020-10-07 17:24:02

We have on prem MI servers with a BYOD infrastructure with a mix of android and iOS devices.We use in app registration using mobile@work client.A security audit recommenced us to have MFA while user register a device using mobile@work. Is there a solution as such to meet our requirement?

Raul (rnadal@mobileiron.com)
2020-10-07 17:27:56

*Thread Reply:* At the moment you can leverage PIN + Password, which is MFA.

👍 mahiroux, Woody
Raul (rnadal@mobileiron.com)
2020-10-07 17:28:02

*Thread Reply:* This is already possible

Raul (rnadal@mobileiron.com)
2020-10-07 17:28:27

*Thread Reply:* If you want to use your IdP and leverage its own MFA, that’s what will eventually be available

👍 mahiroux
Woody (eric.woodland@trust.tc)
2020-10-07 18:10:24

*Thread Reply:* @mahiroux We front-end our Core with BYODPortal, which is tied to our Okta (which employs MFA). We enforce PIN at the Core, so no one circumvents the BYODPortal enrollment workflow.

NicolasR (raison_nicolas@me.com)
2020-10-08 13:36:08

*Thread Reply:* you can also federate the CORE user portal with an IDP, no more need to have BYODPortal (which hopefully will be soon EOL...)

👍 mahiroux
mahiroux (mhyb.mk@gmail.com)
2020-10-09 18:05:42

*Thread Reply:* Thank you..

Ash (ashmax439@gmail.com)
2020-10-09 13:14:37

@Ash has joined the channel

mahiroux (mhyb.mk@gmail.com)
2020-10-09 18:14:06

We have Standalone Sentry talking to two exchange 2016 servers on round robin.Users are complaining about email sync issues.Sentry SMC shows so any HTTP 503 errors and ' servers marked dead' errors.I had multiple support calls but the issue still exist.Can anyone please give some insights on how to fix this issue.

NicolasR (raison_nicolas@me.com)
2020-10-12 13:15:36

*Thread Reply:* I had a couple of similar issues and it was often due to Firewall timeouts

Important thing to understand is that the Session TCP keepalive timeout must increase or be equal from Exchange CAS server to the device

i.e:  Exchange CAS: 15Minutes CAS Load balancer: 30minutes Sentry: (not configurable) 60minutes Sentry LB: 60minutes Edge Firewall: 60minutes

THIS IS SUPER IMPORTANT!! It can lead to Mailbox re-sync and very akward issues 😉 Everything is explained in the MobileIron & Microsoft KBs

NicolasR (raison_nicolas@me.com)
2020-10-12 13:18:36

*Thread Reply:* Well explained here: http://ilantz.com/2013/01/14/tcpip-keepalive-session-timeout-rpc-timeout-exchange-outlook-and-you/ And here: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxzMCAS

Ilantz's Weblog
Woody (eric.woodland@trust.tc)
2020-10-12 19:27:46

Anyone know if the Cloud Connector can run VMWare Tools?

Woody (eric.woodland@trust.tc)
2020-10-12 19:28:18

The team asked. I'm 99.9% sure if it isn't included as part of the ISO there's no way to bolt-it-on after the fact. Right?

jaimin.s (jaimins@gmail.com)
2020-10-12 19:35:32

*Thread Reply:* Whoops wrong product :) deleted my message

Woody (eric.woodland@trust.tc)
2020-10-12 19:36:24

*Thread Reply:* LoL @jaimin.s. More ☕️ 4 U!

jaimin.s (jaimins@gmail.com)
2020-10-12 19:36:56

*Thread Reply:* 100%

Mark Vonk (mark.vonk@dahvo.com)
2020-10-12 19:37:57

*Thread Reply:* I do not think so. You can try though, with the same commands as for the Core and Sentry. In VMware on the connector click Install VMTools. Go to the CLI and perform a “install rpm cdrom”

👍 Woody
Woody (eric.woodland@trust.tc)
2020-10-12 20:05:08

*Thread Reply:* @Mark Vonk yeah, unfortunately I don't see the ability to invoke the install rpm command. Can't say I didn't explore all the options 🙂

Mark Vonk (mark.vonk@dahvo.com)
2020-10-12 20:10:57

*Thread Reply:* Just checked it: you need to register a support case to get a devshell password. See: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxoFCAS

As there is no service support (one time password for misupport)

After you get that you can install the VMware tools using regular Linux commands

👍 Woody
Woody (eric.woodland@trust.tc)
2020-10-12 21:03:29

*Thread Reply:* @Mark Vonk yeah, I was looking for the service support option. Use that all the time on the Cores

Woody (eric.woodland@trust.tc)
2020-10-14 16:44:53

Android Enterprise / Anyone seen a message once a device is enrolled (this is DO) about Account Action Required (seemingly from Google Play)... but then flips over to the Mobile@Work client and just hangs?

Woody (eric.woodland@trust.tc)
2020-10-14 16:45:13
Woody (eric.woodland@trust.tc)
2020-10-14 16:59:13

This appears to be tied to the AE profile. "ERRORADDACCOUNTAUTHENTICATOREXCEPTION"

Woody (eric.woodland@trust.tc)
2020-10-14 17:34:29

Purely related to the add of the Google Account. Play Store/etc installs apps and whatnot. Odd part is that I do not see a newly added device listing under said user's account, being blocked, etc

Woody (eric.woodland@trust.tc)
2020-10-14 19:06:13

Weirder part is that it is working on my Samsung S10 on Verizon... and erroring-out on the same devices on AT&T

Raul (rnadal@mobileiron.com)
2020-10-14 19:11:53

Compare patch level on both. It’s usually the reason why you only see mayhem on one of them

👍 Woody
Woody (eric.woodland@trust.tc)
2020-10-14 19:12:56

@Raul Would that prevent the Google Account from authenticating/adding? Even if I don't have any filter set on Core for patch level/etc?

Raul (rnadal@mobileiron.com)
2020-10-14 19:15:13

Well, for the big amount of issues that I’ve seen in the past, and as the same config seems to be working on other device of the same model and different carrier, I’d say that the issue seems to be on device firmware, that is not working fine with this patches.

As it’s not general, you should check with OEM, and then with carrier affected

👍 Woody
Raul (rnadal@mobileiron.com)
2020-10-14 19:15:41

There’s most likely nothing on Core that can be making the issue

Woody (eric.woodland@trust.tc)
2020-10-14 19:15:57

Concur re: Core

Woody (eric.woodland@trust.tc)
2020-10-14 19:16:04

Between Device/Google

Raul (rnadal@mobileiron.com)
2020-10-14 19:16:51

let me check a second

👍 Woody
Raul (rnadal@mobileiron.com)
2020-10-14 19:19:48

Do you register each device to 1 user only, right?.

Woody (eric.woodland@trust.tc)
2020-10-14 19:20:37

Yes. 1:1

Woody (eric.woodland@trust.tc)
2020-10-14 19:20:49

So I just tried said user's account on my Verizon device. Same result

Florent N. (Florent.NOSARI@econocom.com)
2020-10-14 19:21:01

Do you have an account named "Android for Work" on the device?

Woody (eric.woodland@trust.tc)
2020-10-14 19:21:08

Yes @Florent N.

Matthijs Schut (matthijs.schut@blaud.com)
2020-10-16 08:36:01

@Matthijs Schut has joined the channel

👍 Ronald Reerds
U Sch (urbaan.schoonderwoerd@blaud.com)
2020-10-16 14:16:34

@U Sch has joined the channel

NicolasR (raison_nicolas@me.com)
2020-10-16 15:30:23

.

Tommy L (tommy.le@techstep.se)
2020-10-19 09:47:14

@Tommy L has joined the channel

Vlastimil Turzík (vturzik@system4u.com)
2020-10-20 09:38:42

@Vlastimil Turzík has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-10-20 20:31:46

We use MobileIron Access with an app on iOS. Now we want to use Cisco AnyConnect with that same app - since we already have one Tunnel config for MobileIron Access, how can we use another Tunnel configuration for Cisco VPN? Do we need to use one configuration for Access and Cisco VPN, if that is possible?! Two Tunnel configs will not work to trigger the same app, right?

Clark (76clark@gmail.com)
2020-10-20 22:34:32

You can only have 1 per app VPN applied to an app on a device. You can have a per app VPN and a device wide vpn but the per app vpn will take priority on a device.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-10-21 10:19:21

*Thread Reply:* But I can combine MobileIron Access and Cisco VPN in one Tunnel config?

Mark Vonk (mark.vonk@dahvo.com)
2020-10-21 14:21:32

*Thread Reply:* Not possible afaik. Using Access requires Tunnel. You should really look into why you need another VPN, because Tunnel already offers you VPN capabilities

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-10-21 15:03:31

*Thread Reply:* Mostly it is because we don’t have the platinum license to use Tunnel 😜

Woody (eric.woodland@trust.tc)
2020-10-21 20:08:38

Meant to share that I received closure on this one. When the changes were made at the top level of the GSuite tenant to no longer require the Google Device Policy app.. it relaxed on all OUs.. except ones that had been customized. Said user was in an OU that still required the Google Device Policy app, hence why it wasn't allowing things to move forward. The second we corrected the setting on the OU, the Google Account added and we were back in business.

} Eric Woodland (https://mobilxperts.slack.com/team/U70Q65NQY)
Paul Conaty (pconaty@cwsi.ie)
2020-10-22 14:27:54

https://www.zdnet.com/article/mobileiron-enterprise-mdm-servers-under-attack-from-ddos-gangs-nation-states/

ZDNet
👀 Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-10-22 19:05:44

Anyone familiar with CheckMK monitoring? Can this be used with MobileIron?

Florent N. (Florent.NOSARI@econocom.com)
2020-10-22 19:23:30

*Thread Reply:* If there is no plugin yet, maybe you can try to modify my plugin for Centreon https://github.com/nosari20/centreon-mobileiron-plugin

GitHub
👍 Mikey2000
Woody (eric.woodland@trust.tc)
2020-10-22 21:52:15

on Core.

} Eric Woodland (https://mobilxperts.slack.com/team/U70Q65NQY)
Almar Diehl (almar.diehl@blaud.com)
2020-10-23 07:17:10

*Thread Reply:* You can add a WebApp in the Google Play iFrame.

👍 Woody
Raul (rnadal@mobileiron.com)
2020-10-23 07:27:47

*Thread Reply:* and works on All AE modes, not only on DO mode

👍 Woody
Raul (rnadal@mobileiron.com)
2020-10-23 07:28:08

*Thread Reply:*

Raul (rnadal@mobileiron.com)
2020-10-23 07:28:49

*Thread Reply:*

Woody (eric.woodland@trust.tc)
2020-10-23 14:04:38

*Thread Reply:* Thank you @Raul and @Almar Diehl!

Woody (eric.woodland@trust.tc)
2020-10-23 14:08:08

*Thread Reply:* So will the shortcut call and open the URL in Chrome directly or do a browser window (like a full screen web app)?

Raul (rnadal@mobileiron.com)
2020-10-23 14:24:02

*Thread Reply:* you can choose the behaviour, but chrome have to be installed

👍 Woody
Woody (eric.woodland@trust.tc)
2020-10-23 15:37:26

*Thread Reply:* That’s fine @Raul. I’ve already got Chrome installed/allowed (using managed config with homepage and bookmark entries)

mahiroux (mhyb.mk@gmail.com)
2020-10-25 08:04:37

Is mobileiron supported on Amazon fire 8 plus(10 Gen) ?

Mikey2000 (mscottscranton079@gmail.com)
2020-11-05 10:34:47

Is there an installation guide for MobileIron Connector for LDAP connection with MobileIron Cloud using Hyper-V?

Raul (rnadal@mobileiron.com)
2020-11-05 10:53:16

*Thread Reply:* ??.

It’s just a matter of creating the VM and attaching the ISO, like on ESX

Raul (rnadal@mobileiron.com)
2020-11-05 10:53:39

*Thread Reply:* I think you can even get an OVA

Mikey2000 (mscottscranton079@gmail.com)
2020-11-05 15:37:16

*Thread Reply:* Great thanks 🙏

👍 Raul
Mikey2000 (mscottscranton079@gmail.com)
2020-11-06 20:36:15

Is the client traffic between MobileIron Core and Device (Mobile@Work) encrypted by default or is there an option to enable this? Background to this question - security wants to know how the current communication is secured between Core and Device.

Florent N. (Florent.NOSARI@econocom.com)
2020-11-06 21:23:41

*Thread Reply:* Yes, you can also setup which protocol and cipher suites are used. By default the device authenticate to Core with token but you can enable mutual auth

Tohsheen (tbazaz@mobileiron.com)
2020-11-06 22:06:52

*Thread Reply:* Mutual auth is on by default @Mikey2000 Since a long time

Mikey2000 (mscottscranton079@gmail.com)
2020-11-07 15:45:00

*Thread Reply:* Thanks. Are there whitepapers regarding this?

Mikey2000 (mscottscranton079@gmail.com)
2020-11-07 15:45:10

*Thread Reply:* Need some graphics

Florent N. (Florent.NOSARI@econocom.com)
2020-11-07 16:43:21

*Thread Reply:* @Tohsheen Since when ? I enabled it on a test Core manually some month ago

Mikey2000 (mscottscranton079@gmail.com)
2020-11-07 22:03:41

*Thread Reply:* I was asking myself the same @Tohsheen .. MA is not default for us and we didn’t change anything!

Raul (rnadal@mobileiron.com)
2020-11-10 16:46:09

*Thread Reply:* I guess he was telling TLS, and not Certificate Mutual Auth

👍 Florent N.
Raul (rnadal@mobileiron.com)
2020-11-10 16:46:23

*Thread Reply:* CMA is not enabled by default

Raul (rnadal@mobileiron.com)
2020-11-10 16:46:38

*Thread Reply:* I only enable it when I go with Common Criteria mode

Raul (rnadal@mobileiron.com)
2020-11-10 16:47:30

*Thread Reply:* Connection from /to device to Core is encrypted by default, that’s what was enabled a while ago

Raul (rnadal@mobileiron.com)
2020-11-10 16:47:55

*Thread Reply:* in the old days, the provisioning port was by default 8080 but then it was moved to 443 with encryption,

Raul (rnadal@mobileiron.com)
2020-11-10 16:48:02

*Thread Reply:* 8080 was only for PoCs

Raul (rnadal@mobileiron.com)
2020-11-10 16:48:13

*Thread Reply:* but CMA is a different story

Raul (rnadal@mobileiron.com)
2020-11-10 16:49:15

*Thread Reply:* Think about it. MI Core and MI Sentry requires a paid TLS certificate to encrypt the communications from / to device to Core

Raul (rnadal@mobileiron.com)
2020-11-10 16:49:16

*Thread Reply:* and Sentry

Mikey2000 (mscottscranton079@gmail.com)
2020-11-10 16:50:31

*Thread Reply:* Right! Thanks for the great explanation! 👍🙌

👍 Raul
Tohsheen (tbazaz@mobileiron.com)
2020-11-12 16:28:29

*Thread Reply:* I had a sinking feeling we had decided to enable it by default. Thanks Raul for clarifying..back to my holiday

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-11-13 07:37:10

*Thread Reply:* there are many little options to tweak security in Core, but the default setup isnt bad.

Raul (rnadal@mobileiron.com)
2020-11-12 06:54:31
❤️ Florent N.
Mikey2000 (mscottscranton079@gmail.com)
2020-11-12 11:14:32

*Thread Reply:* Great! 👏👏👏

Jay Robinson (Jay.Robinson@sas.com)
2020-11-16 13:18:23

*Thread Reply:* Very excited for this functionality.

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-11-16 19:00:08

*Thread Reply:* Keep in mind that AAD is always slower than MI Access

Raul (rnadal@mobileiron.com)
2020-11-12 06:55:04

MI Core and Cloud finally appears on the list of approved Device Compliance Partners within MEM

👍 Mikey2000, Jay Robinson
Raul (rnadal@mobileiron.com)
2020-11-12 06:55:46

Core 11 and Cloud R75 allows you to forward device posture, and it’s not a preview list

Mikey2000 (mscottscranton079@gmail.com)
2020-11-12 11:15:51

Is there really no system backup option for Sentry, like there is with Core? How can I backup/restore Sentry?

Raul (rnadal@mobileiron.com)
2020-11-12 11:24:08

*Thread Reply:* Core delivers the complex configs to Sentry as soon as they contacts, so you only need to take care of the network config and the certificate

Raul (rnadal@mobileiron.com)
2020-11-12 11:24:36

*Thread Reply:* Sentry is only a puppet managed from Core

🤣 Mikey2000
Raul (rnadal@mobileiron.com)
2020-11-12 11:25:06

*Thread Reply:* So from server perspective, you just need to take care of the system config, network and so

Raul (rnadal@mobileiron.com)
2020-11-12 11:25:47

*Thread Reply:* The cert you use on Sentry portal doesn’t have to be trusted because it’s not exposed to internet so it’s up to you if you add a TLS cert there

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-11-12 11:26:24

*Thread Reply:* The rest is, network config, static hosts if you use them, and maybe ciphers selected (only for Core as Cloud also delivers the cipher config)

Raul (rnadal@mobileiron.com)
2020-11-12 11:26:41

*Thread Reply:* Exporting config should be enough

Raul (rnadal@mobileiron.com)
2020-11-12 11:27:25

*Thread Reply:* I always say that if Sentry breaks for any reason (never happened to me before), and it takes more than 15 mins to fix it, burn it up and rebuild it. it’s very quick

Raul (rnadal@mobileiron.com)
2020-11-12 11:27:56

*Thread Reply:* After contacting with Core, everything including the TLS cert exposed to internet will be delivered to Sentry automatically

Mikey2000 (mscottscranton079@gmail.com)
2020-11-12 11:39:53

*Thread Reply:* You say exporting config should be enough - what do you mean by that? The only things that you already mention are: Email settings, static hosts, user for the software updates.. and I thought I would need the TLS portal cert because some browsers will not let you login with the self signed.

Mikey2000 (mscottscranton079@gmail.com)
2020-11-12 11:43:36

*Thread Reply:* Sorry missed the point „export config“

Raul (rnadal@mobileiron.com)
2020-11-12 18:35:48

*Thread Reply:* you can always log in by IP even if the cert is not trusted

Mikey2000 (mscottscranton079@gmail.com)
2020-11-12 18:41:13

*Thread Reply:* Right 👍

Mikey2000 (mscottscranton079@gmail.com)
2020-11-12 16:41:53

Is there a way to monitor license consumption with MobileIron Core?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-11-13 07:40:39

*Thread Reply:* not out of the box as far as I know. you can build own reports regarding that or use third party software for that.

Mikey2000 (mscottscranton079@gmail.com)
2020-11-13 07:42:51

*Thread Reply:* I would be really interested in how you guys build your own reports or which third party you can recommend.

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-11-13 08:43:04

*Thread Reply:* count active devices via API, CSV export and import or reporting database

Mikey2000 (mscottscranton079@gmail.com)
2020-11-13 08:56:44

*Thread Reply:* Well but I can’t get out of Core how many licenses we have bought, right?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-11-13 09:11:33

*Thread Reply:* no, you need to check your billing/delivery letter

🤣 Mikey2000
Jason (jasonh@bridgeway.co.uk)
2020-11-13 09:58:13

*Thread Reply:* Yes, there is - IronWorks provides precisely this, along with suggested licence optimisation calculations and other reporting capabilities.

👍 Mikey2000
Jason (jasonh@bridgeway.co.uk)
2020-11-13 09:58:29

*Thread Reply:* But not available within MobileIron itself

Mikey2000 (mscottscranton079@gmail.com)
2020-11-13 21:31:58

*Thread Reply:* Do you know how IronWorks knows the exact amount of bought licenses?

Steve Hayton (shayton@bridgeway.co.uk)
2020-11-16 08:50:57

*Thread Reply:* That information is keyed in (and updated with new purchase) by the finance department

Jason (jasonh@bridgeway.co.uk)
2020-11-16 11:53:02

*Thread Reply:* Just to clarify, typically the finance dept at the customer’s reseller.

Mikey2000 (mscottscranton079@gmail.com)
2020-11-12 16:43:18

Anyone using this Apple watch app? This is only for users to see and manage enrolled devices, like within Mobile@Work, right?

NicolasR (raison_nicolas@me.com)
2020-11-16 15:09:00

*Thread Reply:* I tried... but it’s not that great yet...

ChrisB [MSFT] (chris.baldwin@microsoft.com)
2020-11-12 18:17:32

@ChrisB [MSFT] has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-11-16 18:16:55

MobileIron Access VS Azure Conditional Access with Intune (only O365 cloud service) Can you name me 3 major advantages of MI Access in comparison to Azure Conditional Access with Intune.

I got this one: 1.) SSSO - Seamless Single Sign-On with Access, not SSO like with Intune

Downside with Access: ADFS is mandatory. With Intune you could also use Password Hash or PTA.

Kiran Patel (kiran@kiranpatel.net)
2020-11-24 02:07:44

*Thread Reply:* late to this but to clarify ADFS isn't mandatory... other IDP's will do as well. We federated O365 with Okta and did DelIDP to MI Access after trying to do AzureAD conditional access with PTA. Users hated the constant pw prompts and the device trust for 3rd party mobile devices in Azure never go it to where we wanted it to be. SSSO is huge for our user base and we used MS Authenticator as the iOS SSO Broker app for all MS Office apps so its the only app that needs the VPN profile (there are some downsides to this but performance wise much better)

Raul (rnadal@mobileiron.com)
2020-11-16 18:55:37

2) Access is faster than AAD Conditional Access. and can revoke session tokens almost immediately if device is retired or goes out of compliance

Raul (rnadal@mobileiron.com)
2020-11-16 18:55:59

3) Doesn’t require Authenticator onboarding

Raul (rnadal@mobileiron.com)
2020-11-16 18:57:36

4) Core 11 can forward AAD Partner Device Compliance to AAD without enrolling to MEM/Intune, but onboarding with Access makes it super user friendly

Raul (rnadal@mobileiron.com)
2020-11-16 18:58:11

5) Regarding using Access when AAD is the IdP, I recommend you to reach out to your MobileIron Local SE for roadmap session.

Raul (rnadal@mobileiron.com)
2020-11-16 18:58:23

Something good will come for this usecase

Raul (rnadal@mobileiron.com)
2020-11-16 18:59:09

6) ZSO with FIDO2 will allow you to use mobile to unlock macOS and W10 devices

Eliot Estep (eliot.estep@techstep.se)
2020-11-18 14:36:24

@Eliot Estep has joined the channel

👍 Anders Hermansson
Mikey2000 (mscottscranton079@gmail.com)
2020-11-20 17:33:42

MobileIron App Wrapping - we received an unsigned copy of Cisco Jabber which we have wrapped with the MobileIron wrapper. After that we have to download the script to sign the app. What is the procedure for signing? Do we have to sign the app or Cisco? We need anything else for signing?

Raul (rnadal@mobileiron.com)
2020-11-20 23:17:20

*Thread Reply:* As it’s for internal distribution, you have to sign it with your company Apple Enterprise Developer Identity, like any other in-house iOS app

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2020-11-20 23:17:46

*Thread Reply:* That’s what you need to deploy iOS in-house apps though UEM

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-11-21 12:31:25

*Thread Reply:* Ah ok thank you. But there is also a wrapping tool from MobileIron where I don‘t have to sign the app myself and this will be done by MI, right?

Mikey2000 (mscottscranton079@gmail.com)
2020-11-21 15:54:00

*Thread Reply:*

Phil Hackett (phil.hackett83@gmail.com)
2020-11-23 13:11:10

We can’t see any MobileIron apps in the Apple App Store (Mobile@Work, Web@Work etc.) Does anyone know what’s going on?

Ladislav Blazek (ladislav@lblazek.cz)
2020-11-23 13:15:41

*Thread Reply:* Hi @Phil Hackett, we already have ticket for this issue. So far no answer from MI.

Phil Hackett (phil.hackett83@gmail.com)
2020-11-23 13:16:35

*Thread Reply:* Thanks @Ladislav Blazek I’m about to open a support ticket myself 😀

Ladislav Blazek (ladislav@lblazek.cz)
2020-11-23 13:33:50

*Thread Reply:* MobileIron Service Degradation - Mobileiron Apple Productivity Apps - SET-20833 New incident: Investigating A number of MobileIron customers are experiencing a degradation to the service. Currently Mobileiron Productivity Apps are temporary unavailable from the Apple App Store.

MobileIron Site Reliability Engineering is investigating the issue and will provide an update or notice of resolution once we have collected additional information.

https://status.mobileiron.com/incidents/3df57g7z8fd8

status.mobileiron.com
👍 Phil Hackett
Phil Hackett (phil.hackett83@gmail.com)
2020-11-23 16:25:21

*Thread Reply:* And it’s back in the App Store....

Mikey2000 (mscottscranton079@gmail.com)
2020-11-25 12:31:55

Our operators are wrong on the devices. I have been searching for the Subscriber Carrier Network, Subscriber MCC and Subscriber MNC on the affected device details, but cannot find these three properties. Why?

Raul (rnadal@mobileiron.com)
2020-11-25 12:51:33

On Android?

Mikey2000 (mscottscranton079@gmail.com)
2020-11-25 12:51:57

*Thread Reply:* Sorry, no mostly iOS

Raul (rnadal@mobileiron.com)
2020-11-25 12:53:15

*Thread Reply:* That’s strange as iOS reads the required field on SIMcard and populates it so UEM can see it

Raul (rnadal@mobileiron.com)
2020-11-25 12:53:37

*Thread Reply:* Android doesn’t do the same so depending on the carrier you will run into issues, but on iOS it should be perfect

Mikey2000 (mscottscranton079@gmail.com)
2020-11-25 12:54:42

*Thread Reply:* Yes this is weird. We don‘t have these properties on any iOS devices. And actually the operator that is shown within the overview of all devices is disabled in the operator settings page

Mikey2000 (mscottscranton079@gmail.com)
2020-11-25 12:53:25

We want to monitor MobileIron Core and all Sentrys with Nagios. Is there a guide how to integrate both Core and Sentry? Best practices for which services can be monitored? Do we need a setup within the System Manager of Core and Sentry?

Ala Almaet (ala@alaalmaet.com)
2020-11-25 15:55:20

*Thread Reply:* If the Nagios software is required to be installed as an agent to do the monitoring then this isn't possible as these are locked down hardened appliances.

👍 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2020-11-25 15:57:01

*Thread Reply:* Ok and if this is not required?‘not sure if this is a default requirement for Nagios

Raul (rnadal@mobileiron.com)
2020-11-25 17:52:05

*Thread Reply:* If it’s not required you should find if Nagios supports something like syslog or similar

Florent N. (Florent.NOSARI@econocom.com)
2020-11-25 20:20:00

*Thread Reply:* You can use snmp HOST MIB

💯 Raul, Woody
Mirko Bülles (mbulles@mobileiron.com)
2020-11-30 11:07:40

*Thread Reply:* You can monitor Core and Sentry with Nagios but only to a certain level. You can see whatever is agentless provided by Nagios (https/https and some other ports). You can also use SNMP traps. But nagios has some agents which can be installed on the host for more detailed monitoring. You could set these up using the "misupport" cmd on the sentry/core. But you will get into troubles when you need MI support afaik. Or you need to get PS involved to have this certified.

💯 Raul, Mikey2000
Florent N. (Florent.NOSARI@econocom.com)
2020-11-30 11:22:34

*Thread Reply:* I made a plugin for Centreon, maybe it can used by Nagios https://github.com/nosari20/centreon-mobileiron-plugin

GitHub
👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-11-30 15:46:45

*Thread Reply:* Thanks guys! 👍🙌

Jason (jasonh@bridgeway.co.uk)
2020-12-04 09:42:24

Do we need to consider renaming this channel now that the acquisition has gone through?

Raul (rnadal@mobileiron.com)
2020-12-04 09:44:14

Don’t run too fast

Raul (rnadal@mobileiron.com)
2020-12-04 09:44:29

For the moment MI will keep being MI

Raul (rnadal@mobileiron.com)
2020-12-04 09:45:07

At least wait and see if product names change

👍 Woody, NicolasR
Jason (jasonh@bridgeway.co.uk)
2020-12-04 10:43:24

👍

Woody (eric.woodland@trust.tc)
2020-12-04 16:29:12

#IronIvanti #IvantiIron #IvantiCloud #MvantiIron #MilliVanIron #ICouldGoOnForever

🤣 Caryn
Matt Dermody (jmdermody@gmail.com)
2020-12-04 16:39:13

Dont’ forget Wavelink Avalanche in the mix!

👍 Woody, NicolasR
Raul (rnadal@mobileiron.com)
2020-12-04 16:40:09

And Pulse

👍 Woody, NicolasR
Matt Dermody (jmdermody@gmail.com)
2020-12-04 16:40:28

https://www.ivanti.com/products/avalanche

ivanti.com
Jason (jasonh@bridgeway.co.uk)
2020-12-04 16:45:46

I expect Avalanche will be EOL’d shortly..

NicolasR (raison_nicolas@me.com)
2020-12-04 16:51:55

*Thread Reply:* Don’t expect that immediately or even later 😉 as MI doesn’t do everything that Avalanche does...

NicolasR (raison_nicolas@me.com)
2020-12-04 16:52:39

*Thread Reply:* There are probably better things PM can do than just EOL products

NicolasR (raison_nicolas@me.com)
2020-12-04 16:52:47

*Thread Reply:* this comes in a second phase

Matt Dermody (jmdermody@gmail.com)
2020-12-04 17:47:24

*Thread Reply:* Avalanche is great at Windows Mobile and Windows CE!

😬 Woody, Raul
😆 JordanOC
Matt Dermody (jmdermody@gmail.com)
2020-12-04 17:47:43

*Thread Reply:* …which are EOL

Mikey2000 (mscottscranton079@gmail.com)
2020-12-11 09:52:08

Has anyone had the error message while trying to enroll an Android Enterprise device on Core „Limit has been reached on Google Play“..

Raul (rnadal@mobileiron.com)
2020-12-11 09:52:49

*Thread Reply:* That’s not an MI limit. It’s a limit that Google impose to deploy AE devices with a user account.

Raul (rnadal@mobileiron.com)
2020-12-11 09:52:56

*Thread Reply:* The limit is 10 per user account

Raul (rnadal@mobileiron.com)
2020-12-11 09:52:59

*Thread Reply:* BUT

Raul (rnadal@mobileiron.com)
2020-12-11 09:53:16

*Thread Reply:* You can enable Device Accounts, and there there’s no limit

Raul (rnadal@mobileiron.com)
2020-12-11 09:54:27

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-12-11 09:54:58

*Thread Reply:* Ah I see.. good point! But this particular user has only 1 active device on Core. Are there older enrollments still stored on Google side somewhere?

Raul (rnadal@mobileiron.com)
2020-12-11 09:58:11

*Thread Reply:* No idea but enrollment is linked to user, not to device.

Raul (rnadal@mobileiron.com)
2020-12-11 09:58:30

*Thread Reply:* I can register 300 devices with the same user as long as the user have this setting enabled

Mikey2000 (mscottscranton079@gmail.com)
2020-12-11 09:59:30

*Thread Reply:* 👍👍

mahiroux (mhyb.mk@gmail.com)
2020-12-14 10:15:37

HI, We use AIP for data classification. Is there a way to classify documents using Docs@work?

NicolasR (raison_nicolas@me.com)
2020-12-14 17:51:45

*Thread Reply:* Not in Docs@work, this idea has been dropped due to lack of interest from customers. but Email+ supports that

mahiroux (mhyb.mk@gmail.com)
2020-12-15 08:33:00

*Thread Reply:* @NicolasR Thanks for your reply. Since we are using a DLP solution for email server, any unclassified documents will be blocked. Currently we only use Docs@work as document repository in the conatainer.Do you think i can push office 365 apps with MAM policies effectively and inform users to use office 365 apps to create and classify documents from mobile devices?

NicolasR (raison_nicolas@me.com)
2020-12-15 08:33:47

*Thread Reply:* With Filepass you can use Microsoft and Mobileiron apps

Stefan Linge (stefan.linge@miradore.com)
2020-12-14 15:21:57

@Stefan Linge has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 15:48:47

Has anyone else issues with the enrollment of Android devices with MobileIron Core? (10.8 and 11) After entering the user credentials Mobile@Work brings up the error message „unable to locate. Could not connect to server . Check the data connection or the server address“. After trying the enrollment a couple of times it will work at one point. Could not find anything within the Mobile@Work logs. Any ideas?

Raul (rnadal@mobileiron.com)
2020-12-16 16:45:22

*Thread Reply:* When did you started facing that?

Raul (rnadal@mobileiron.com)
2020-12-16 16:45:28

*Thread Reply:* I’m on 11 and all good

Raul (rnadal@mobileiron.com)
2020-12-16 16:45:34

*Thread Reply:* Also on 10.8

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:45:48

*Thread Reply:* Started this week..

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:46:11

*Thread Reply:* After trying 3-4 times the enrollment works

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:46:24

*Thread Reply:* I am gathering all the relevant logs to find out more

Raul (rnadal@mobileiron.com)
2020-12-16 16:46:32

*Thread Reply:* Do you have set system alerts on Core?

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:46:44

*Thread Reply:* No all clear

Raul (rnadal@mobileiron.com)
2020-12-16 16:46:50

*Thread Reply:* If so, so you see alerts like unable to reach MobileIron Gateway?

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:47:18

*Thread Reply:* Maybe related to our firewall

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:47:23

*Thread Reply:* Gotta check also there

Raul (rnadal@mobileiron.com)
2020-12-16 16:47:50

*Thread Reply:* For ex, I receive this alert every thursday when my router is automatically rebooted, but once that router is up, I see all services OK

Raul (rnadal@mobileiron.com)
2020-12-16 16:48:09

*Thread Reply:* If I receive it at any other time, then something bad is happening

Raul (rnadal@mobileiron.com)
2020-12-16 16:48:17

*Thread Reply:* that’s useful

Raul (rnadal@mobileiron.com)
2020-12-16 16:48:34

*Thread Reply:* For me your case looks like networking issues

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:48:59

*Thread Reply:* Ok so I will also enable the system events on Core. Could be helpful

Raul (rnadal@mobileiron.com)
2020-12-16 16:49:10

*Thread Reply:* yeah

Raul (rnadal@mobileiron.com)
2020-12-16 16:50:26

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:50:48

*Thread Reply:* The only thing that is strange we have the exact same issue on another Core with completely different network infrastructure.

Raul (rnadal@mobileiron.com)
2020-12-16 16:51:12

*Thread Reply:* Do you have the right amount of resources for your metric?

Raul (rnadal@mobileiron.com)
2020-12-16 16:51:30

*Thread Reply:* Performance issues can also reproduce the same issue

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:51:56

*Thread Reply:* How do you mean? Like enough RAM, CPUs on Core?

Raul (rnadal@mobileiron.com)
2020-12-16 16:52:05

*Thread Reply:* yeah, and reservation

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:52:12

*Thread Reply:* Good point

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:52:25

*Thread Reply:* Gotta check also. Not sure..

Raul (rnadal@mobileiron.com)
2020-12-16 16:52:48

*Thread Reply:* I have 1 customer that was having a lot of issues and now that they have all healthy, they are running a Core with 100K devices without issues

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:53:19

*Thread Reply:* Can I see performance issues on MICS in Core? Like a full queue or something?

Raul (rnadal@mobileiron.com)
2020-12-16 16:58:12

*Thread Reply:* Umm, I don’t know how, outside of Hypervisor alerts

Raul (rnadal@mobileiron.com)
2020-12-16 16:58:22

*Thread Reply:* I only know where to check storage

Mikey2000 (mscottscranton079@gmail.com)
2020-12-16 16:58:37

*Thread Reply:* Ok thanks very good input 👍

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-12-18 07:26:10

*Thread Reply:* If you have mobileiron monitor, you should see performance issues there

Mikey2000 (mscottscranton079@gmail.com)
2020-12-18 07:27:03

*Thread Reply:* We don’t have platinum 😜

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-12-18 07:28:38

*Thread Reply:* maybe snmp performance mibs?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-12-18 07:29:25

*Thread Reply:* or check logs for timeouts etc

Mikey2000 (mscottscranton079@gmail.com)
2020-12-18 07:30:06

*Thread Reply:* Should be in the core showtech right?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-12-18 07:30:18

*Thread Reply:* yep

Mikey2000 (mscottscranton079@gmail.com)
2020-12-18 07:54:44

*Thread Reply:* Do you know in which log file?

Wolfgang Bauer (wolfgang.bauer@lineas.de)
2020-12-22 09:49:07

*Thread Reply:* there are no special logfiles for that. Mi.log and webserver logs seem a good start for me.

👍 Mikey2000
Florent N. (Florent.NOSARI@econocom.com)
2020-12-18 19:40:15

Hello, I'm trying to setup Desktop Trust for Access on our lab but I have the error "Acces received an invalid Kerberos ticket for domain: ." I check the keytab and recreate everything with realm in uppercase but the issue remains. Any idea ?

Raul (rnadal@mobileiron.com)
2020-12-22 11:18:51

*Thread Reply:*

Raul (rnadal@mobileiron.com)
2020-12-22 11:24:51

*Thread Reply:* It works for me with this GPO and the config above on Access console

Raul (rnadal@mobileiron.com)
2020-12-22 11:26:03

*Thread Reply:*

Florent N. (Florent.NOSARI@econocom.com)
2020-12-22 11:41:07

*Thread Reply:* I already uploaded the keytab file created with the command in the documentation

Raul (rnadal@mobileiron.com)
2020-12-22 11:49:28

*Thread Reply:* cool

Raul (rnadal@mobileiron.com)
2020-12-22 11:50:19

*Thread Reply:* It’’s also true that I use the same MS CA for DJ devices and for SCEP

Raul (rnadal@mobileiron.com)
2020-12-22 11:50:27

*Thread Reply:* So Access already trust on it

Florent N. (Florent.NOSARI@econocom.com)
2020-12-22 12:07:51

*Thread Reply:* I did not use gpo, I have created the registry keys manually and everything is ok in the ADA logs

Raul (rnadal@mobileiron.com)
2020-12-22 12:17:11

*Thread Reply:* I made this video a while ago for a customer, where you first see how unmanaged or not DJ W10 devices are blocked, and how a DJ W10 can access to SharePoint with WIA, and then how it can access to SalesForce and so with the Kerberos Trust Agent and then with WIA as well

Raul (rnadal@mobileiron.com)
2020-12-22 12:18:55

*Thread Reply:* I don’t remember to configure anything else but the stuff above

Florent N. (Florent.NOSARI@econocom.com)
2020-12-22 12:26:28

*Thread Reply:* Thank you, I will review all the configurations

👍 Raul
Florent N. (Florent.NOSARI@econocom.com)
2020-12-28 11:10:08

*Thread Reply:* Can you confirm that you have created the keytab using ktpass /out <a href="http://access.miada.com">access.miada.com</a>.keytab /princ <a href="mailto:HTTP/access.miada.com@MYCOMPANY.COM">HTTP/access.miada.com@MYCOMPANY.COM</a> /mapuser <a href="mailto:svc.miada@MYCOMPANY.COM">svc.miada@MYCOMPANY.COM</a>  /crypto All /pass ** -ptype KRB5_NT_PRINCIPAL the -ptype KRB5_NT_PRINCIPAL suppress WARNING: pType and account type do not match. This might cause problems. . Thank in advance @Raul

Raul (rnadal@mobileiron.com)
2020-12-30 11:32:38

*Thread Reply:* https://help.mobileiron.com/s/article-detail-page?Id=kA134000000Qy4QCAS

I used a command exactly like in the example

ktpass /out access.miada.com.keytab /princ HTTP/access.miada.com@MIADA.COM /mapuser svuser@MIADA.COM /crypto All /pass

Raul (rnadal@mobileiron.com)
2020-12-30 11:33:18

*Thread Reply:* Same as I did to create the keytab for Sentry for ActiveSync, but this time for Access Desktop trust

Florent N. (Florent.NOSARI@econocom.com)
2020-12-30 12:08:25

*Thread Reply:* I tried both, the problem seems to not be there so

Florent N. (Florent.NOSARI@econocom.com)
2020-12-30 12:08:28

*Thread Reply:* Thank you

TheWolfpack (w.bauer83@googlemail.com)
2020-12-21 09:08:48

@TheWolfpack has joined the channel

JeroenK (j.kruit@zetacom.nl)
2020-12-21 12:37:59

Im curious if more people are experiencing Samsung S20 fact reset issue enrolled AE COPE devices after upgrade from Android 10 to 11 with MI Go 74 client?

Sragnob (maartinos@gmail.com)
2020-12-22 12:48:40

*Thread Reply:* We have had reports of this aswell, altough via core

Stuart Brown (stuartbrown@google.com)
2021-01-08 17:12:29

*Thread Reply:* I see a MI post regarding an issue registering WPCOD + KME, that is Resolved in Mobile@Work 11.0.0.1 and MobileIron Go 74.1.0.2 (not yet released?) Maybe this is also related to the COPE -> WPCOD migration issue you are encountering.

JeroenK (j.kruit@zetacom.nl)
2021-01-14 07:49:57

*Thread Reply:* Yes indeed, also for KME enrollment you need to add a json data in the KME profile and use the option to let MDM decide enrollment type.

{ "workProfileEnabled": true, "quickStart": true }

Jon Henson (jonathanwhenson@gmail.com)
2021-01-07 20:50:13

@Jon Henson has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-01-13 18:14:18

Cisco Jabber + ADFS + MI Tunnel question. Jabber used certificate based authentication via ADFS . Our ADFS and Jabber infrastructure are not externally published, so we want to send the Jabber client on iOS through MobileIron Tunnel. Is there still limitation for UDP? Will ADFS CBA work in this scenario? Anything else we need to consider?

NicolasR (raison_nicolas@me.com)
2021-01-15 08:33:37

Hi Mikey Split UDP works with Tunnel (packet-tunnel mode) so it means your UDP trafic is not handled by Tunnel. If you want UDP part of it, you should look at Pulse Secure 😆😉

Mikey2000 (mscottscranton079@gmail.com)
2021-01-17 10:26:58

*Thread Reply:* Hey Nicolas, Thanks - but that would mean that our Jabber infrastructure needs to be externally published, which it is not. Can you explain the Pulse Secure part.

NicolasR (raison_nicolas@me.com)
2021-02-03 09:47:00

*Thread Reply:* Well, Pulse Secure is a real full featured VPN including UDP tunneling 😉

Mikey2000 (mscottscranton079@gmail.com)
2021-02-03 09:47:55

*Thread Reply:* Cool.. but extra license right? We have platinum

NicolasR (raison_nicolas@me.com)
2021-02-03 09:48:54

*Thread Reply:* Currently the Pulse Secure part is not included in any bundle yet, but feel free to go and talk to your sales reprensetative, he will be happy to help I’m sure

Todd Cole (toddcole13@hotmail.com)
2021-01-15 21:10:29

@Todd Cole has joined the channel

Patrick Hogeboom (p.hogeboom@zetacom.nl)
2021-01-19 18:35:45

@Patrick Hogeboom has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-01-20 19:34:29

Has anyone come across this: We use MI Core + EAS Sentry + Exchange On-Prem(Passthrough) + iOS Apple Native mail app If some users change their AD password, the mail app will not prompt for a new password and the mailbox will keep synchronized until the next day when the password prompt shows up. Why the delay? I am guessing this must be an AD/Exchange issue because the sync with the old credentials still work. Any ideas?

Peter Mohr (pm@conscia.com)
2021-01-20 20:26:37

ActiveSync only re-authenticates once in awhile. Usually once every 12 or 24 hours… Stores a local token and uses that for sync until next re-auth

👍 Mikey2000, Woody
Peter Mohr (pm@conscia.com)
2021-01-20 20:26:46

this is by design in the protocol

Mikey2000 (mscottscranton079@gmail.com)
2021-01-22 07:46:32

We need like 30 devices for Android Enterprise COSU - If we use MobileIron Cloud do we need an LDAP connector or can we invite users and enroll them into COSU without LDAP? We want to keep the implementation as easy as possible.

Raul (rnadal@mobileiron.com)
2021-01-22 09:15:51

*Thread Reply:* You can do with local accounts

Raul (rnadal@mobileiron.com)
2021-01-22 09:16:40

*Thread Reply:* Enable Device Accounts setting on each account and you will be able to provision N devices in COSU mode against the same account, or create different local accounts

Raul (rnadal@mobileiron.com)
2021-01-22 09:16:55

*Thread Reply:* You don’t need LDAP

Raul (rnadal@mobileiron.com)
2021-01-22 09:17:36

*Thread Reply:* If you also deploy kiosk mode, you can add a variable with an identifier to the Text Banner for later identification of devices when user call HD

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2021-01-22 09:17:58

*Thread Reply:* Easy

Mikey2000 (mscottscranton079@gmail.com)
2021-01-22 09:48:18

*Thread Reply:* Great thanks - sounds good. Where is the setting for the device accounts?

Also, how do you recommend deploying the Android Enterprise configs for COSU, COPE and WP with device groups? This is a little different like with Core. Now we use only COSU so I just deployed it for test purposes on All Devices. But when I also want COPE and WP, I need to use custom groups. I had the problem that I created a custom manual device group, but I cannot assign the group to the device right away because its not enrolled. Whats best practice here?

Raul (rnadal@mobileiron.com)
2021-01-22 11:16:23

*Thread Reply:* Create a user group where you add users. Then create the same group for devices, with a condition of the OS and User Group membership to belong to the USer GRoup you created on previous step

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2021-01-22 11:16:27

*Thread Reply:* That’s the way I do

Mikey2000 (mscottscranton079@gmail.com)
2021-01-22 11:19:46

*Thread Reply:* Great! Thanks!

👍 Raul
Mikey2000 (mscottscranton079@gmail.com)
2021-01-22 16:01:19

MobileIron Core LDAP - we added a LDAP connection for LDAPS (636) parallel to the LDAP (389) a couple of month ago and forgot to disable/remove the 389 connection. Both are working because if we look for LDAP users within the Users tab (LDAP Entity) we have double entries for the same user. Can we disable the 389 connection without any impact like losing any user accounts? What is the normal procedure here?

Raul (rnadal@mobileiron.com)
2021-01-22 16:57:19

*Thread Reply:* If you just change from to then you can simply edit the current LDAP config

Raul (rnadal@mobileiron.com)
2021-01-22 16:57:32

*Thread Reply:* If the URL is the same, go ahead. No issues

Raul (rnadal@mobileiron.com)
2021-01-22 16:57:58

*Thread Reply:* That’s better than 2 LDAP configs pointing to the same LDAP server

Raul (rnadal@mobileiron.com)
2021-01-22 16:58:11

*Thread Reply:* From my perspective at least

Raul (rnadal@mobileiron.com)
2021-01-22 16:58:27

*Thread Reply:* I’ve done on Core and Cloud and no issues

Mikey2000 (mscottscranton079@gmail.com)
2021-01-22 16:59:09

*Thread Reply:* Right, but we already have two pointing at the same only with different ports. So i will remove to 389

Raul (rnadal@mobileiron.com)
2021-01-22 16:59:21

*Thread Reply:* yeah, do it

Raul (rnadal@mobileiron.com)
2021-01-22 17:00:14

*Thread Reply:* If you want to be sure that everything is working, force an LDAP sync after removing the old config

👍 Mikey2000
Raul (rnadal@mobileiron.com)
2021-01-22 17:00:21

*Thread Reply:* Should be quick

👍 Mikey2000
AwAz (azharuddin.ece@gmail.com)
2021-01-23 19:43:14

@AwAz has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-01-27 06:55:53

I am having issues with the Samsung Gallery store app on Android 10 + 11 devices. The app will not show up within the Work Profile (MobileIron Core). Has there been a change I am not aware of?

Raul (rnadal@mobileiron.com)
2021-01-27 08:27:34

*Thread Reply:* Galaxy Store or Gallery?

Raul (rnadal@mobileiron.com)
2021-01-27 08:28:05

*Thread Reply:* The last keeps working, the first should never be on Work Profile

Raul (rnadal@mobileiron.com)
2021-01-27 08:28:33

*Thread Reply:* Only on personal side

Mikey2000 (mscottscranton079@gmail.com)
2021-01-27 08:28:58

*Thread Reply:* Gallery

Mikey2000 (mscottscranton079@gmail.com)
2021-01-27 08:29:45

*Thread Reply:* On some new enrollments it won’t get installed.

Raul (rnadal@mobileiron.com)
2021-01-27 08:33:37

*Thread Reply:* Well, Gallery is a system app so it’s very easy to enable it manually.

Raul (rnadal@mobileiron.com)
2021-01-27 08:33:52

*Thread Reply:* I see it on my demo S10 on Android 11

Mikey2000 (mscottscranton079@gmail.com)
2021-01-27 08:40:18

*Thread Reply:* Yes at the moment we install it via AppCatalog. I will try it via Lockdown policy

Mikey2000 (mscottscranton079@gmail.com)
2021-01-28 07:23:07

*Thread Reply:* Update: Lockdown policy works fine - deployment via AppCatalog doesn’t work for most devices.

Raul (rnadal@mobileiron.com)
2021-01-28 07:57:57

*Thread Reply:* I always add all the package IDs of Galleries as on other OEMs it’s different so better enable all of them

Raul (rnadal@mobileiron.com)
2021-01-28 07:58:29

*Thread Reply:* If you don’t need to configure an app, like GAllery, it’s always better to enable them via Lockdown policy

Raul (rnadal@mobileiron.com)
2021-01-28 07:58:48

*Thread Reply:* For Chrome, Samsung Email and so, then deploy the app as a corp app

Raul (rnadal@mobileiron.com)
2021-01-28 07:59:03

*Thread Reply:* so you can configure them

Mikey2000 (mscottscranton079@gmail.com)
2021-01-28 08:09:21

*Thread Reply:* Right thanks. For some devices the installation of Chrome also fails. Other work profile apps on the same device work, only Chrome fails.

Raul (rnadal@mobileiron.com)
2021-01-28 08:12:21

*Thread Reply:* It fails when Android WebView is not updated before to install Chrome.

Raul (rnadal@mobileiron.com)
2021-01-28 08:12:25

*Thread Reply:* That’s a Google issue

Raul (rnadal@mobileiron.com)
2021-01-28 08:12:42

*Thread Reply:* Once that it’s updated, Chrome installation happens

Mikey2000 (mscottscranton079@gmail.com)
2021-01-28 08:12:48

*Thread Reply:* Ah I see..

Mikey2000 (mscottscranton079@gmail.com)
2021-01-28 08:13:19

*Thread Reply:* How can we upgrade the WebView? Manually via Google Play?

Raul (rnadal@mobileiron.com)
2021-01-28 08:14:11

*Thread Reply:* For DO mode devices it’s tricky but for COPE we recommend user to add a personal account to personal side as this should trigger update automatically, or simply wait as this will happen but will take time

Raul (rnadal@mobileiron.com)
2021-01-28 08:14:21

*Thread Reply:* It’s an annoying issue

Mikey2000 (mscottscranton079@gmail.com)
2021-01-28 08:14:53

*Thread Reply:* So for work profile it should be easy right?

Woody (eric.woodland@trust.tc)
2021-01-27 21:09:56

Now that MobileIron has been acquired, I suppose it’s time to go back and dig up some photos/videos from the good ’ole days. Came across this one today, which was at a company event/dinner where the theme was a ❄️ snowball fight ❄️ 🙂

👍 jaimin.s, Mikey2000
❤️ Tohsheen
Woody (eric.woodland@trust.tc)
2021-01-27 21:11:37

Taking the MobileIron throwbacks into a thread…

Woody (eric.woodland@trust.tc)
2021-01-27 21:12:00

*Thread Reply:* M1 - The first user conference! 2011.

Woody (eric.woodland@trust.tc)
2021-01-27 21:52:37

*Thread Reply:*

Woody (eric.woodland@trust.tc)
2021-01-27 22:00:23

*Thread Reply:* Donut Wall!

Woody (eric.woodland@trust.tc)
2021-01-27 22:01:01

*Thread Reply:* Ojas!

Woody (eric.woodland@trust.tc)
2021-01-27 22:01:30

*Thread Reply:* More Ojas!

Ala Almaet (ala@alaalmaet.com)
2021-01-27 22:04:58

*Thread Reply:* I remember this. I attended as a Partner and will have to see if i can dig up any old photos from this event.

:the_horns: Woody
Woody (eric.woodland@trust.tc)
2021-01-28 02:01:17

*Thread Reply:* Yeah @Ala Almaet!

Woody (eric.woodland@trust.tc)
2021-01-28 02:01:19

*Thread Reply:* Good times

Ala Almaet (ala@alaalmaet.com)
2021-01-28 02:22:29

*Thread Reply:* yeah one of the best conferences that i attended

👍 Woody, Caryn
Mikey2000 (mscottscranton079@gmail.com)
2021-01-28 13:45:16

Is anyone using SAP Fiori (Store app) on iOS?

Raul (rnadal@mobileiron.com)
2021-01-29 10:55:09

*Thread Reply:* What’s the issue?

Raul (rnadal@mobileiron.com)
2021-01-29 10:55:12

*Thread Reply:* You need a plist?

Mikey2000 (mscottscranton079@gmail.com)
2021-01-29 20:28:47

*Thread Reply:* I have the PLIST basic auth. but we use ADFS CBA with SAP. Could not find anything if SAP has KVP to support this

mahiroux (mhyb.mk@gmail.com)
2021-02-01 06:16:04

Hi,I had reported an issue with MI core and support team confirmed this will be resolved in the future core release and provided a JIRA id.What does this id mean?

Raul (rnadal@mobileiron.com)
2021-02-01 07:38:23

*Thread Reply:* This means you reported a bug or feature not implemented that will be on future future versions of Core

Clark (76clark@gmail.com)
2021-02-01 16:54:41

*Thread Reply:* You can reference this ID at a later date to ask for an update on it.

Woody (eric.woodland@trust.tc)
2021-02-02 19:44:53

So a customer of mine just added a Whitelist string to the Honeywell OEM Config in Core and now it’s coming back with this. @NicolasR I know there was an issue with Core 10.8.0.0 similar to this. Has anyone encountered something similar here?

Matt Dermody (jmdermody@gmail.com)
2021-02-02 22:48:02

*Thread Reply:* I would recommend re-enrolling the devices with a different method other than DPC identifier so that the system apps like OEMConfig and the camera are left enabled

👍 Woody
NicolasR (raison_nicolas@me.com)
2021-02-03 09:43:38

*Thread Reply:* I heard the same customer to complain around christmas even with the patch but the issue was gone by itself with no further action

🤔 Woody
Woody (eric.woodland@trust.tc)
2021-02-03 15:28:31

*Thread Reply:* @NicolasR apparently it’s persisting. They’re going to launch a support ticket to dig deeper

👍 NicolasR
Woody (eric.woodland@trust.tc)
2021-02-08 17:36:55

*Thread Reply:* @NicolasR closure: they were able to resolve via direct fix in the DB

Mikey2000 (mscottscranton079@gmail.com)
2021-02-03 13:44:37

Question MobileIron Core + Knox Mobile Enrollment for Work Managed Device with Work Profile: Should a filter label with Registration Status = Managed Device with Work Profile work as a filter option within the label after enrolling a device via KME. The device will not be applied to the label. Of course I have a diffenent label for COBO with filter option work managed device and it will always land in that label. Shouldn’t the JSON field workprofileEnabled:true take care of this that it will be WPOCD from time of the registration or is the other label interfering?

Mark Vonk (mark.vonk@dahvo.com)
2021-02-03 16:14:09

*Thread Reply:* The attribute is not set until the device is fully enrolled. Hence you can’t use it as a dynamic label to distribute configurations like the AE configuration. Doing so will lead the factory resets.

Mikey2000 (mscottscranton079@gmail.com)
2021-02-03 16:17:34

*Thread Reply:* Gotcha.. thats what I thought. Not sure why I need to enter that JSON data on KME for WPOCD. How can I use dynamic COBO and COPE labels at the same time? I can’t use manual labels because I don’t know when the user enrolls the device.

Mark Vonk (mark.vonk@dahvo.com)
2021-02-03 16:22:22

*Thread Reply:* You need to enter the JSON as KMEs enrollment model is DO. COPE was based on DO, but with Android 11 changed to PO (profile owner). Hence the JSON is needed to make sure a Work Profile is created instead of the device enrolling as a COBO device.

👍 Mikey2000
Mark Vonk (mark.vonk@dahvo.com)
2021-02-03 16:24:13

*Thread Reply:* What about a dynamic label that is the same as the COBO label instead using != Would that work? Never tried it, but it might work, unless you also have BYOD

Mikey2000 (mscottscranton079@gmail.com)
2021-02-03 16:29:11

*Thread Reply:* Yes I have also BYOD, but I covered that with != Work Managed like you mentioned. But since COBO and COPE are both Work Managed at first, I cannot use the !=. I would need a second filter option to bind COPE. But I don’t know which one. Is there something I can set in the KME JSON so I can identify the devices when they hit Core? This is a tricky one.

Mikey2000 (mscottscranton079@gmail.com)
2021-02-03 17:32:35

*Thread Reply:* I think this is the solution:

Mikey2000 (mscottscranton079@gmail.com)
2021-02-03 17:33:59

*Thread Reply:* Would be interesting which label filter property key1 is - @Raul I am sure you know this. Spain is you environment, right? 😜

Mikey2000 (mscottscranton079@gmail.com)
2021-02-03 17:44:02

*Thread Reply:* But it looks like that attributes are not supported for Work Managed with Work Profile - confused:

Raul (rnadal@mobileiron.com)
2021-02-05 11:59:28

*Thread Reply:* WPCOD doesn’t support custom attributes, afaik

Raul (rnadal@mobileiron.com)
2021-02-05 12:00:24

*Thread Reply:* Even when the current method to register WPCOD devices with KME, ZT and QR code will change in the near future for good, as per today you need a dedicated KME profile and so on for WPCOD

Raul (rnadal@mobileiron.com)
2021-02-05 12:01:12

*Thread Reply:* So you can actually apply it to all devices that will be targeted as WPCOD

Mikey2000 (mscottscranton079@gmail.com)
2021-02-05 17:06:01

*Thread Reply:* Right, so: -have 2 different profiles in KME for old COPE and WPCOD -have 2 different labels on Core for old COPE and WPCOD. For the old COPE we can use custom attributes via KME JSON. And for WPCOD we have to use a filter option like AD groups or device serial numbers or something that might work. Because the registration status „work managed with work profile“ won’t work.

Raul (rnadal@mobileiron.com)
2021-02-05 17:29:17

*Thread Reply:* did you added also the condition of Android enterprise capable = true to the dynamic label?

Raul (rnadal@mobileiron.com)
2021-02-05 17:30:36

*Thread Reply:* In any case, that’s going to be a temporal WA as on future release of Core and Cloud, Android 11 device will be handled as DO in any case and after registering, it will receive the command from server to turn into WPCOD or remain as DO

Mikey2000 (mscottscranton079@gmail.com)
2021-02-05 17:31:28

*Thread Reply:* No I didn’t. I thought this was only relevant everything lower Android 6 (or 5.1)

Raul (rnadal@mobileiron.com)
2021-02-05 17:48:42

*Thread Reply:* Nope, it’s required for timing thing when you send AE config to provision devices to DO, COPE, etc on a timely manner

Raul (rnadal@mobileiron.com)
2021-02-05 17:49:01

*Thread Reply:* by dynamic label

Mikey2000 (mscottscranton079@gmail.com)
2021-02-05 17:49:11

*Thread Reply:* Ah gotcha

Mikey2000 (mscottscranton079@gmail.com)
2021-02-05 17:49:15

*Thread Reply:* Good point

Raul (rnadal@mobileiron.com)
2021-02-05 17:52:24

*Thread Reply:* In any case, keep in mind that if on Android 11 we are no longer able to send attributes during provisioning, you should make your own approach with labels

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-02-05 17:52:49

*Thread Reply:* Right! Thanks! 🍺

Raul (rnadal@mobileiron.com)
2021-02-05 17:52:50

*Thread Reply:* I guess that once that ZT portal is integrated as iFrame into UEM, this will be easier

Raul (rnadal@mobileiron.com)
2021-02-05 17:53:04

*Thread Reply:* AS you can even provision SAmsung Devices from there

Raul (rnadal@mobileiron.com)
2021-02-05 17:53:17

*Thread Reply:* And forget about KME

Raul (rnadal@mobileiron.com)
2021-02-05 17:53:43

*Thread Reply:* :facewithcowboy_hat:

Mikey2000 (mscottscranton079@gmail.com)
2021-02-05 17:55:51

*Thread Reply:* Do you know when the iFrame integration with ZT is happening on Core?

Raul (rnadal@mobileiron.com)
2021-02-05 17:57:48

*Thread Reply:* Still no idea as Google opened it at the end of dec

👍 Mikey2000
Mark Vonk (mark.vonk@dahvo.com)
2021-02-05 18:03:09

*Thread Reply:* Good info Raul, thanks!

👍 Raul, Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-02-08 08:23:00

*Thread Reply:* Could OEM config help in this case?

Thomas Steinmetz (thomas.steinmetz@ebf.com)
2021-02-05 23:29:37

@Thomas Steinmetz has joined the channel

Tristan (xiale@microsoft.com)
2021-02-08 01:36:54

@Tristan has joined the channel

Miklós Kerékfy (kerekfym@gmail.com)
2021-02-09 13:10:51

@Miklós Kerékfy has joined the channel

Gary (mcconnell.gary@gmail.com)
2021-02-09 13:27:11

@Gary has joined the channel

Martijn Rijerse (martijn.rijerse@twentynice.com)
2021-02-09 15:46:47

@Martijn Rijerse has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-02-10 07:49:46

This might be a very stupid and rookie question, but how does an Admin re-generate a registration PIN for MI Cloud? Cannot find an action for that. I have reveived one after the first invite, do I need to invite again to receive another PIN for a new device?

Raul (rnadal@mobileiron.com)
2021-02-10 10:24:05

*Thread Reply:* Hey, I think you have to invite him again

Raul (rnadal@mobileiron.com)
2021-02-10 10:24:17

*Thread Reply:* that will generate a new PIN

Mikey2000 (mscottscranton079@gmail.com)
2021-02-10 11:21:50

*Thread Reply:* Ok thanks!

Massinissa Menas (menas.massinissa@gmail.com)
2021-02-10 09:21:03

@Massinissa Menas has joined the channel

Oliver Beyer (oliver.beyer@ebf.com)
2021-02-10 15:00:54

@Oliver Beyer has joined the channel

Justin Butts (justin.butts777@gmail.com)
2021-02-10 21:47:00

Anyone here setup the new Android 11 WPoFMD workflows that are replacing COPE for MI? Everything I do seems to be going full managed work profile only

Mark Vonk (mark.vonk@dahvo.com)
2021-02-11 06:49:24

*Thread Reply:* How are you enrolling the devices? QR, KME, ZTE?

David Johansson (david.johansson@outlook.com)
2021-02-11 07:10:56

*Thread Reply:* you’ll need to pass the json string {“workProfileEnabled”:true} to the MobileIron app during enrolment.

David Johansson (david.johansson@outlook.com)
2021-02-11 07:11:45

*Thread Reply:* Screenshot from KME:

NicolasR (raison_nicolas@me.com)
2021-02-11 09:52:38

*Thread Reply:* You have been using the wrong APK url for the M@W client. The good one is the “nfc” url

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:26:39

*Thread Reply:* yeah so I'm using the NFC url I believe and work profile enabled is set to True

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:26:41

*Thread Reply:* coming in from QR

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:27:04

*Thread Reply:* KME not in place at the moment, expect no issues once I get that piece in place but relying on QR for now

Mark Vonk (mark.vonk@dahvo.com)
2021-02-11 17:27:43

*Thread Reply:* Did you generate a new QR?

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:28:42

*Thread Reply:* Yeah, built QR using MI Provision, then built another using straight JSON, both behave the same - fully managed work device, no profiles

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:29:44

*Thread Reply:* despire the WorkProfileEnabled:true and the config in MI dictating it

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:30:00

*Thread Reply:* have a call with MI later may be able to get to the bottom of it - We're on Core just updated to 11.0.0.1

Mark Vonk (mark.vonk@dahvo.com)
2021-02-11 17:31:50

*Thread Reply:* And the Android Enterprise config they get does have Work Profile enabled too? Labeling correct ? I have had no such issues so far with Core or Cloud so long as Work Profile Enabled was set to true in either KME or the QR

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:31:56

*Thread Reply:* Yep!

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:32:10

*Thread Reply:* Interesting - might blow it all away and start from scratch

Justin Butts (justin.butts777@gmail.com)
2021-02-11 17:32:18

*Thread Reply:* Some of their enrollment workflows predate me

Justin Butts (justin.butts777@gmail.com)
2021-02-12 00:28:44

*Thread Reply:* Oddly enough we got this working on Android 11 using Provisioner QR, but were unable to get it working using the raw JSON QR, though Android 10 liked the raw JSON QR just fine. 🙄

Justin Butts (justin.butts777@gmail.com)
2021-02-12 00:29:16

*Thread Reply:* thanks for your help @Mark Vonk

NicolasR (raison_nicolas@me.com)
2021-03-19 12:15:01

*Thread Reply:* By the way M@W 11.2 (April) will fix the Android 11 behavior for enrollment

Justin Butts (justin.butts777@gmail.com)
2021-02-10 21:55:43

err Enhanced Work Profiles

Paul Conaty (pconaty@cwsi.ie)
2021-02-11 12:08:55

Folks any experience here on managing non AE android phones in MobileIron? Is it as fully featured as WS1 and are MobileIron giving it any love?

Jason Bayton (jason@bayton.org)
2021-02-12 09:29:07

*Thread Reply:* MI like WS1 is expected to turn down support for legacy DA this year, probably not to the degree of VMw but nevertheless. As well as this, since Nov last year the agents have required to target Android 10 in Play, rendering older DA APIs unusable.

If you're talking Samsung and integrated Knox APIs you'll likely be OK, but it's not a super experience.

Paul Conaty (pconaty@cwsi.ie)
2021-02-12 09:50:38

*Thread Reply:* This is for management of Huawei devices.

Paul Conaty (pconaty@cwsi.ie)
2021-02-12 09:51:27

*Thread Reply:* I thought VMware were maintaining support for DA for legacy builds like field forces using Zebra/Honeywell devices?

Jason Bayton (jason@bayton.org)
2021-02-12 09:54:23

*Thread Reply:* Yeah but it's fully self-supported based on their docs. DA remains for existing customers, it's just not officially supported by default

Raul (rnadal@mobileiron.com)
2021-02-15 19:09:25

*Thread Reply:* Google require any UEM on AER to completely remove DA for all Android versions in 2022, and on Android 10 in 2021

👍 Jason Bayton, Paul Conaty
Paul Conaty (pconaty@cwsi.ie)
2021-02-16 16:08:36

*Thread Reply:* Hi @Raul does that mean that the AER UEM's would no longer be able to offer an emrolment and management option for AOSP devices or am I missing something?

Raul (rnadal@mobileiron.com)
2021-02-16 16:09:11

*Thread Reply:* There are other ways to manage those kind of devices.

Raul (rnadal@mobileiron.com)
2021-02-16 16:09:25

*Thread Reply:* But it’s more focused to IoT

Paul Conaty (pconaty@cwsi.ie)
2021-02-16 16:10:24

*Thread Reply:* so if an org needed to manage chinese phones for offices in china with their UEM they could be out of luck or could another option be looked at. Asking for a friend 🙂

Paul Conaty (pconaty@cwsi.ie)
2021-02-16 16:10:38

*Thread Reply:* chinese Android phones

Raul (rnadal@mobileiron.com)
2021-02-16 16:11:10

*Thread Reply:* I know, that’s why you can use a model similar to DO mode,

Raul (rnadal@mobileiron.com)
2021-02-16 16:11:19

*Thread Reply:* with a proprietary push service

Raul (rnadal@mobileiron.com)
2021-02-16 16:11:30

*Thread Reply:* made for China and for closed networks

👍 Paul Conaty
Paul Conaty (pconaty@cwsi.ie)
2021-02-16 16:11:52

*Thread Reply:* ah OK so the lieks of the closed networks offering from WS1 might still be on the table

Raul (rnadal@mobileiron.com)
2021-02-16 16:12:19

*Thread Reply:* If the management is more similar to AE on DO mode than to DA, then yes

Raul (rnadal@mobileiron.com)
2021-02-16 16:13:32

*Thread Reply:* At least MI is investing to keep supporting China devices while they keep making Google happy

Raul (rnadal@mobileiron.com)
2021-02-16 16:13:49

*Thread Reply:* I guess that also other vendors will do the same

Paul Conaty (pconaty@cwsi.ie)
2021-02-16 16:13:51

*Thread Reply:* Cool so Google's requirement to completely remove DA for all Android versions in 2022, and on Android 10 in 2021 would not force WS1 to remove offerings around closed networks to meet the AER UEM criteria then?

Raul (rnadal@mobileiron.com)
2021-02-16 16:14:13

*Thread Reply:* I guess that yes. The idea is to deprecate the APIs

Raul (rnadal@mobileiron.com)
2021-02-16 16:14:23

*Thread Reply:* But there are other APIs to be used

Raul (rnadal@mobileiron.com)
2021-02-16 16:14:45

*Thread Reply:* AOSP and DA is not the same

Raul (rnadal@mobileiron.com)
2021-02-16 16:14:58

*Thread Reply:* AOSP supports other APIs

Raul (rnadal@mobileiron.com)
2021-02-16 16:15:26

*Thread Reply:* more close to the AE model of DO mode

Paul Conaty (pconaty@cwsi.ie)
2021-02-16 16:15:51

*Thread Reply:* Interesting to see how it plays out. I have a couple of use cases around this primarily for Chinese markets. My worry was OEM's that did not invest like Samsung in a strong set of OEM COnfig capabilities like KSP would be extremely limited to offer a supported management model

Jason Bayton (jason@bayton.org)
2021-02-16 16:19:14

*Thread Reply:* > OK so the lieks of the closed networks offering from WS1 might still be on the table Yes, this is still AE, but without managed Google Play. Device APIs only. > My worry was OEM's that did not invest like Samsung in a strong set of OEM COnfig capabilities like KSP would be extremely limited to offer a supported management model An increasing number of OEMs are going to OEMConfig, but for closed network the apps will need to support pushing a config XML file.

Paul Conaty (pconaty@cwsi.ie)
2021-02-16 16:21:43

*Thread Reply:* Thank you gents, you have given me food for thought

Michael Schiefele (schiefele@gmail.com)
2021-02-14 06:40:31

@Michael Schiefele has joined the channel

Michael Gow (michaelgow@google.com)
2021-02-15 19:54:25

@Michael Gow has joined the channel

Andre (andre@email.com)
2021-02-17 10:41:53

@Andre has joined the channel

mahiroux (mhyb.mk@gmail.com)
2021-02-27 08:39:17

We have a new SharePoint server configured to use Kerberos authentication. There are multiple web applications on this single SharePoint host.Now i am trying to configure kerberos for sharepoint on Docs@work(iOS) as per the documentation provided by MI however i see http503 errors while accessing the sharepoint from docs@work using kerberos (Accessing sharepoint using basic authentication is working fine).Question is should i point sharepoint host as SPN or i should point each web application as SPN's?

Raul (rnadal@mobileiron.com)
2021-02-27 23:25:04

*Thread Reply:* I do have this scenario deployed and both W@W and D@W can open SharePoint sites through Kerberos.

If you have 1 url for all webapps, you should be able to open all creating a Sentry service and delegating the Sentry service account to connect to SharePoint server SPN

If you have 1 different URL for each web app (which is the most professional way to do), you have to create a different SPN for each one and grant delegation access to each one from Sentry Service Account.

Raul (rnadal@mobileiron.com)
2021-02-27 23:25:42

*Thread Reply:* I do option 2

mahiroux (mhyb.mk@gmail.com)
2021-03-03 11:24:08

*Thread Reply:* @Raul Thank you for your reply. We do have option 2.I dont have visibility to AD and our system admin has said that he is not able to add SPN of the web application for delegation under sentry service account as this are not machine accounts. How do we achieve that?

Raul (rnadal@mobileiron.com)
2021-03-03 11:34:14

*Thread Reply:* I actually followed this KB

Raul (rnadal@mobileiron.com)
2021-03-03 11:34:16

*Thread Reply:* https://www.noralku.net/2016/05/08/sharepoint-20132016-kerberos-authentication/

noralku.net
Raul (rnadal@mobileiron.com)
2021-03-03 11:35:35

*Thread Reply:* Once that you have the SPN of each SharePoint URL properly configured, you can delegate them to Sentry service account.

Raul (rnadal@mobileiron.com)
2021-03-03 11:36:44

*Thread Reply:* On iOS with W@W or Safari you will need iOS SSO applied, which is not KCD, but native kerberos, and works as well.

On D@W you just need to create the services, like on this example of OneDrive

Raul (rnadal@mobileiron.com)
2021-03-03 11:36:52

*Thread Reply:*

mahiroux (mhyb.mk@gmail.com)
2021-03-10 09:20:29

*Thread Reply:* Dear Raul, Sorry to keep bothering you. I have now added SharePoint URL's under MobileIron service account delegation however docs@work is keep prompting for credential whenever application is launched. In debug logs, I can see 'not forwarding TGT for delegation because ..... not applicable(doing S4U2Proxy). Any thoughts on this error?

mahiroux (mhyb.mk@gmail.com)
2021-03-10 09:29:21

*Thread Reply:* I am supposed to see only FQDN of the web application under delegation tab

Lucile Riand (lucile.riand@ebf.com)
2021-03-03 19:52:13

@Lucile Riand has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-03-04 19:49:46

Core 11 - what is the background of the message „enable full windows and macos managment. Activate now“ Where can I find info about that?

Justin Butts (justin.butts777@gmail.com)
2021-03-04 21:09:26

*Thread Reply:* I see the same in Core 11.0.0.0.1 - everytime I dismiss it forever it comes back next login haha. I think it wants admins to walk through the basic enrollment configs for mac and windows but not 100%. I refuse to activate 😂

😑 Woody
Ala Almaet (ala@alaalmaet.com)
2021-03-04 21:44:48

*Thread Reply:* that should go away provided you use the same browser it will remember the preference. You should be able to raise a support ticket to disable that banner

Jason (jasonh@bridgeway.co.uk)
2021-03-05 10:00:08

*Thread Reply:* This is for the MobileIron Bridge feature, now included with Secure UEM licences.

👍 Woody
Almar Diehl (almar.diehl@blaud.com)
2021-03-08 16:04:14

Just enrolled my first Android 11 device using KME. In the KME profile I added {"workProfileEnabled":true,"quickStart":true} and selected 'Let MDM choose to enroll as a Device Owner or Profile Owner'. Device configures OK, with 2 profiles. However, the Mobile@Work app does not automatically launch for registration. Need to open it in the Work Profile and enter the registration PIN. Is this working as designed or am I missing something?

Raul (rnadal@mobileiron.com)
2021-03-08 18:08:16

*Thread Reply:* That’s because we are still on phase 1 of support of WP-C

Raul (rnadal@mobileiron.com)
2021-03-08 18:09:44

*Thread Reply:* During April it will be addressed on Core and Cloud, where device will be provisioned as DO mode (aka the flow you know for COPE and DO devices up to Android 10), will force user to register, and then UEM client will convert device into WP-C

👍 Woody
Raul (rnadal@mobileiron.com)
2021-03-08 18:10:06

*Thread Reply:* Then you will not need the parameter on json

Raul (rnadal@mobileiron.com)
2021-03-08 18:11:06

*Thread Reply:* On Core it will require only M@W 11.2. No Core update is required.

On Cloud it will come within R77 and Go R77.

All will be released in April, but for sure beta of M@W 11.2 will be released before.

👍 Woody, Daniel Kr.
Raul (rnadal@mobileiron.com)
2021-03-08 18:11:35

*Thread Reply:* You’re almost there

Almar Diehl (almar.diehl@blaud.com)
2021-03-08 18:12:59

*Thread Reply:* Thanks a million Raul!

👍 Raul
Alexander Wendling (alexander.wendling@blaud.com)
2021-03-08 18:42:55

@Alexander Wendling has joined the channel

🙌 Thomas B.
Woody (eric.woodland@trust.tc)
2021-03-10 20:23:57

Anyone know if Core supports the ability to assign an identity cert for WiFi via PKCS?

Ladislav Blazek (ladislav@lblazek.cz)
2021-03-10 20:32:43

*Thread Reply:* If you mean single identity certificate uploaded to Core then yes, it is supported for Wifi, VPN etc.

Woody (eric.woodland@trust.tc)
2021-03-10 20:37:08

*Thread Reply:* Yes, single identity cert. However, can the bundle be created/issued dynamically like Microsoft Intune does with their Cert Connector?

Ladislav Blazek (ladislav@lblazek.cz)
2021-03-10 20:40:57

*Thread Reply:* No, this is manually uploaded file only. If you need automation, then SCEP is way to go. It doesn’t mean it needs to be direct (device -> CA). MI Core can act as middle man.

👍 Woody
Ladislav Blazek (ladislav@lblazek.cz)
2021-03-10 20:42:25

*Thread Reply:* Basically Core will handle the cert issuance and provisioning.

👍 Woody
Ladislav Blazek (ladislav@lblazek.cz)
2021-03-10 20:44:21
Woody (eric.woodland@trust.tc)
2021-03-10 20:46:08

*Thread Reply:* Yeah, have a customer that stood up a new PKI and no NDES

Ladislav Blazek (ladislav@lblazek.cz)
2021-03-10 20:47:03

*Thread Reply:* Ahhh… but MI Core need NDES for this.

Woody (eric.woodland@trust.tc)
2021-03-10 20:47:28

*Thread Reply:* They’re moving to Intune and it utilizes their PKCS capabilities.

Ladislav Blazek (ladislav@lblazek.cz)
2021-03-10 20:49:01

*Thread Reply:* I see… so technically you need to use DCOM protocol - not supported by MI, only SCEP.

👍 Woody
Woody (eric.woodland@trust.tc)
2021-03-10 20:51:03

*Thread Reply:* Yes sir! That’s what I was getting at

Ladislav Blazek (ladislav@lblazek.cz)
2021-03-10 20:54:43

*Thread Reply:* everyone is migrating to Intune… /rant

🤣 Mikey2000
Woody (eric.woodland@trust.tc)
2021-03-10 21:02:05

*Thread Reply:* Migrating.. but the question is will they stay 😉

Raul (rnadal@mobileiron.com)
2021-03-10 21:10:02

*Thread Reply:* Hey, some people need to taste a bad beer to appreciate the good ones

👍 Woody, Mikey2000, Daniel Kr.
🤣 Mikey2000
Raul (rnadal@mobileiron.com)
2021-03-10 21:11:07

*Thread Reply:* Every customer that comes to me with the statement “I’ve tested Intune” always finish it with “And I don’t like it. That’s why you’re here” 😂

👍 Woody, Mikey2000, Daniel Kr.
Mikey2000 (mscottscranton079@gmail.com)
2021-03-11 13:05:55

Enrolling Zebra OTA with Core - one requirement is that the managed device has been added a Google Account within the Android Enterprise configuration. Why do we need this? That would mean we would need a managed domain with Google, right? We have setup Android Enterprise without registering a Domain with Google.

Matt Dermody (jmdermody@gmail.com)
2021-03-11 14:36:10

*Thread Reply:* Its a pretty complicated procedure still requiring two zebra apps to be distributed from Managed Play with Managed Configs

Matt Dermody (jmdermody@gmail.com)
2021-03-11 14:36:49

*Thread Reply:* If MI supports .ZIP based firmware updates then I would recommend that path since LifeGuard OTA still has a long way to go

Matt Dermody (jmdermody@gmail.com)
2021-03-11 14:37:57

*Thread Reply:* Not only do you need a AE binding and the devices to have access to the play store you also need the end customer to register a Zebra portal account and for the devices to all pass validation that they are under an active support contract before they are eligible to receive the updates

Matt Dermody (jmdermody@gmail.com)
2021-03-11 14:39:49

*Thread Reply:* The two apps:

Matt Dermody (jmdermody@gmail.com)
2021-03-11 14:39:51

*Thread Reply:*

Matt Dermody (jmdermody@gmail.com)
2021-03-11 14:39:58

*Thread Reply:*

Matt Dermody (jmdermody@gmail.com)
2021-03-11 14:40:39

*Thread Reply:* Screenshots taken from SOTI’s Managed Play iFrame, but the concept is the same

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-03-12 15:14:38

*Thread Reply:* Thanks Matt. I will take a look at this! ✌️

Woody (eric.woodland@trust.tc)
2021-03-16 19:36:52

Anyone been using the MI Cloud API today? Tried to utilize it earlier to onboard a few devices (with EBF Migrator) and it was seemingly acting up

Jason (jasonh@bridgeway.co.uk)
2021-03-17 08:21:33

*Thread Reply:* Yup, all our IronWorks customer ingests worked fine this morning - their EU instances, if that helps?

👍 Woody
Woody (eric.woodland@trust.tc)
2021-03-17 15:14:25

*Thread Reply:* @Jason thanks for the report back. I’ll give it another try today!

Jason (jasonh@bridgeway.co.uk)
2021-03-17 15:29:52

*Thread Reply:* Good luck!

👍 Woody
Daniel Kr. (daniel.kraussler@cancom.at)
2021-03-17 08:44:20

@Daniel Kr. has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-03-17 10:02:56

Is it supported to use the KVP like HTTP_PREFIX: mibrowser with ANY app that was wrapped with the AppConnect SDK or is this app specific and not related to AppConnect? We would like to open all links within an AppConnect wrapped app to open with Web@Work.

Raul (rnadal@mobileiron.com)
2021-03-17 11:07:35

*Thread Reply:* well, there are 2 ways to do so.

mibrowser and mibrowsers:// URL patterns are declared by app developer and belongs to W@W so you can call it from any link.

You can develop your app adding a managed config that, without changing the URL links that the app shows, force the app to always open links within an specific browser (W@W).

Raul (rnadal@mobileiron.com)
2021-03-17 11:08:09

*Thread Reply:* Ex, I can add a KVP to Email+ to always open any link on mail with W@W, even when those links are of type http:// or https://

Raul (rnadal@mobileiron.com)
2021-03-17 11:08:41

*Thread Reply:* If your developer is good, it’s always better to add this feature within your own app

Raul (rnadal@mobileiron.com)
2021-03-17 11:08:52

*Thread Reply:* like on Email+ example

Mikey2000 (mscottscranton079@gmail.com)
2021-03-17 11:30:37

*Thread Reply:* Right I see. So in our case that might be a problem because the wrapped app is not our development, it is Cisco Jabber.

Raul (rnadal@mobileiron.com)
2021-03-17 20:56:29

*Thread Reply:* Be careful with this as wrapping apps without developer permissions is a violation of the ToS

Mikey2000 (mscottscranton079@gmail.com)
2021-03-17 21:14:13

*Thread Reply:* We have signed a deal with Cisco

Mikey2000 (mscottscranton079@gmail.com)
2021-03-17 21:14:40

*Thread Reply:* Otherwise we would not have received the binaries

Raul (rnadal@mobileiron.com)
2021-03-17 21:25:39

*Thread Reply:* Ah, OK

Justin Butts (justin.butts777@gmail.com)
2021-03-17 17:47:01

soooooo just exported our device list with Advanced Details and noticed a field labelled passcode that to my absolute shock listed 6 digit passcodes.... has anyone seen this and can anyone tell me what I'm actually seeing there before I have an existential breakdown...surely I'm not seeing a user's passcode...right? RIGHT!?

Florent N. (Florent.NOSARI@econocom.com)
2021-03-17 17:54:08

*Thread Reply:* This is a PIN if you use PIN based registration

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2021-03-17 18:04:59

*Thread Reply:* So just to clarify, no, not their passcode. It’s their PIN for PIN based registration

👍 Woody
Justin Butts (justin.butts777@gmail.com)
2021-03-17 18:41:05

*Thread Reply:* PHEWWWWEEEEE

Justin Butts (justin.butts777@gmail.com)
2021-03-17 18:41:27

*Thread Reply:* Thanks @Jason @Florent N. my blood pressure is coming back down

😂 Jason, Raul
👍 Jason
❤️ Florent N.
Raul (rnadal@mobileiron.com)
2021-03-17 20:57:15

*Thread Reply:* It’s impossible to gather Unlock PIN codes

Raul (rnadal@mobileiron.com)
2021-03-17 20:57:38

*Thread Reply:* They are simply registration PINs as the rest of folks mentioned

Raul (rnadal@mobileiron.com)
2021-03-17 20:57:53

*Thread Reply:* That CSV is cool to get when a PIN is about to expire, btw

Raul (rnadal@mobileiron.com)
2021-03-17 20:58:16

*Thread Reply:* registration PIN

Pete (peter.klima@cancom.at)
2021-03-18 16:18:21

@Pete has joined the channel

Jason (jasonh@bridgeway.co.uk)
2021-03-23 13:47:40

^ Hey, that was my suggestion months ago! 😉

👍 Woody
👍:skin_tone_2: Prip
Jason Bayton (jason@bayton.org)
2021-03-23 18:42:23

Couldn't pretend it wasn't happening any longer @Jason 😉

🤣 Jason, Prip, Mathieu Beaugrand, Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-03-24 13:29:17

How do you guys handle shared mailboxes with Office 365 and mail clients? On iOS we now use the native client and on Android Enterprise Email+ v3. Can we use shared mailboxes with this clients? We don’t want to switch to the Outlook app

Peter Mohr (pm@conscia.com)
2021-03-24 16:57:09

Native mail for sure supports multiple mailboxes. But you need to be able to “login” to each… If you use certificates you can issue “SharedMailboxAccess” certificates to your users to enable auto-login to a different mailbox with no username password

Mikey2000 (mscottscranton079@gmail.com)
2021-03-24 17:30:20

*Thread Reply:* Thanks Peter. But isn’t it the case when you create a shared mailbox in O365 (which needs no license) you don’t get a password but the users which have been granted access can authenticate with their standard O365 password? We don’t have certificates with Core yet.

Peter Mohr (pm@conscia.com)
2021-03-24 19:27:29

*Thread Reply:* Shared Mailboxes come in many shapes and sizes… Some have an underlying account some don’t. Some apps require “Full access” in order to access them (Outlook Mobile App being one) while others need just “Delegate” or “On behalf of”.. (Desktop Outlook)… AFAIK ActiveSync only allows you to connect to mailboxes with accounts behind. You can’t login as userA and get access to userB’s mailbox (over ActiveSync). We provision devices with certs for userA and userB in this case. Each configuring it’s own mailbox

Dan Whiteley (danw@avr.co.uk)
2021-03-25 13:55:21

@Dan Whiteley has joined the channel

Woody (eric.woodland@trust.tc)
2021-03-27 03:54:53

Ivanti ad popped into my Facebook feed. All normal, I’d suppose. It’s the comment that made me laugh 😆

😂 Jason Bayton, Ajay Patel, Jason, Mikey2000, Clark, Justin Butts
Justin Butts (justin.butts777@gmail.com)
2021-04-06 15:57:13

*Thread Reply:* This may deserve a Jim Philips emoji :legend: hahaha

😆 Woody
Woody (eric.woodland@trust.tc)
2021-04-06 16:25:18

*Thread Reply:* Haha @Justin Butts

Mikey2000 (mscottscranton079@gmail.com)
2021-03-29 10:44:54

Is there 2-Factor Auth for Admin Login with the Admin Portal on Core?

Raul (rnadal@mobileiron.com)
2021-03-29 18:23:32

*Thread Reply:* Not without an IDP, or without MI Access.

I’ve enabled ZSO on MI Core so I can leverage QR code or MFA.

Raul (rnadal@mobileiron.com)
2021-03-29 18:24:30
Mikey2000 (mscottscranton079@gmail.com)
2021-03-29 18:39:15

*Thread Reply:* Great thanks. ZSO is part of the new Secure UEM Premium bundle right? If not, we have to federate our Core with ADFS and use ADFS MFA, right? Is there a guide for that?

Mikey2000 (mscottscranton079@gmail.com)
2021-03-29 20:47:25

How can I remove certain devices from a default label like iOS? Can I edit the default label?

I found this where a new label with the exclusion is created:

https://help.mobileiron.com/s/article-detail-page?Id=kA134000000Qx8VCAS

Is there no impact for the devices if I add the new label to the configuration and remove the old label from the configuration - in my case I have an Exchange config on the default iOS label. Will that cause a re-push of the mailbox if I change labels?

Almar Diehl (almar.diehl@blaud.com)
2021-03-30 06:43:13

*Thread Reply:* If you first add the new label and then remove the old label there is no impact at all (besides the fact that the Exhange config is removed from the excluded devices in the new label of course). No re=push of the mailbox.

👍 Mikey2000
Steve Hayton (shayton@bridgeway.co.uk)
2021-03-30 09:08:56

*Thread Reply:* Excellent advice from Almar, I would caveat that you co label the Exchange config for as long as you can until all active devices have checked in (When doing this with customers I suggest 2 weeks) - this lets you manage the exceptions of devices that lose the mailbox for up to 4 hours by ensuring no impact on regularly active devices

👍 Mikey2000, Phil Hackett
Mikey2000 (mscottscranton079@gmail.com)
2021-03-30 09:17:56

*Thread Reply:* Thanks guys 👍👍🙌🙌

Mikey2000 (mscottscranton079@gmail.com)
2021-04-01 18:26:52

*Thread Reply:* Worked like a charm! Thanks 🙏

👍 Steve Hayton
Mikey2000 (mscottscranton079@gmail.com)
2021-04-02 18:56:34

We have a self development internal website which we made accessible via MobileIron Tunnel. The website will be displayed correctly within Safari, but not within W@W. I thought W@W is based on the Safari engine, but obviously there are still some limitations. I have tried a couple of KVP for W@W (like Cookies, Javascript, etc) but still not change. Any ideas how we could troubleshoot this in order to fix it? If that is even possible.

Raul (rnadal@mobileiron.com)
2021-04-05 10:38:55

*Thread Reply:* Have you tried changing the agentID of W@W to mimic Safari?

Mikey2000 (mscottscranton079@gmail.com)
2021-04-05 10:41:27

*Thread Reply:* Great input - no I didn’t. Is that KVP in the docu?

Mikey2000 (mscottscranton079@gmail.com)
2021-04-05 18:48:56

*Thread Reply:* Found it and tried this one:

Mozilla/5.0 (iPhone; CPU iPhone OS 1442 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1

Still the same.

Raul (rnadal@mobileiron.com)
2021-04-08 12:36:50

*Thread Reply:* what is the system behind your webserver? SharePoint or which one?

Mikey2000 (mscottscranton079@gmail.com)
2021-04-08 12:41:19

*Thread Reply:* That I don’t know. I have to ask the product owner. It is not a Sharepoint. Is there a limitation or why do you ask that specifically?

Raul (rnadal@mobileiron.com)
2021-04-08 15:49:48

*Thread Reply:* Just to find if I can replicate

Mikey2000 (mscottscranton079@gmail.com)
2021-04-08 15:50:31

*Thread Reply:* Let me find that out

Raul (rnadal@mobileiron.com)
2021-04-08 23:44:37

*Thread Reply:* websites that works on Safari usually works as well on W@W as now both relies on WKWebView library

Woody (eric.woodland@trust.tc)
2021-04-12 18:37:06

Can anyone confirm if Email+ for iOS is able to support modern auth to access O365 via IMAPS?

Mark Vonk (mark.vonk@dahvo.com)
2021-04-12 22:06:25

*Thread Reply:* IMAP ? ActiveSync; yes sure. But IMAP? It’s 2021 @Woody ! 😁

Woody (eric.woodland@trust.tc)
2021-04-12 22:08:59

*Thread Reply:* @Mark Vonk You’d be surprised who is operating on IMAPS + OAuth these days. If you aren’t using the client specifically designed for your service (e.g Outlook/Gmail) there aren’t a whole lot of other options.

Mark Vonk (mark.vonk@dahvo.com)
2021-04-13 08:58:17

*Thread Reply:* No I do not think oath works for IMAP

Woody (eric.woodland@trust.tc)
2021-04-13 16:09:46

*Thread Reply:* @Mark Vonk Check out GMail inside the iOS/iPadOS Mail client 😉

Mark Vonk (mark.vonk@dahvo.com)
2021-04-13 16:16:59

*Thread Reply:* I meant that MI Core does not seem to support oauth for IMAP. At least in the UI there is no option for it.

Woody (eric.woodland@trust.tc)
2021-04-13 16:20:44

*Thread Reply:* Ahh yeah, that’s all handled client-side when you push the Google Account config to the device

Woody (eric.woodland@trust.tc)
2021-04-13 16:21:55

*Thread Reply:* But agree, I’m not seeing much in terms of Email+ for iOS being able to usher-in an O365/GMail account using modern auth. It’s EAS or nothing

Mikey2000 (mscottscranton079@gmail.com)
2021-04-13 07:29:55

MobileIron Core - changing port 8080 to 443 for CRL - any device impact?

Mark Vonk (mark.vonk@dahvo.com)
2021-04-13 09:00:01

*Thread Reply:* Yes. CRL should not be published with SSL in general. But yes, it does impact it. You will need to re-push all client certs.

Mikey2000 (mscottscranton079@gmail.com)
2021-04-13 09:00:58

*Thread Reply:* I see.. An external audit flagged 8080 for CRL.

Mikey2000 (mscottscranton079@gmail.com)
2021-04-13 09:01:39

*Thread Reply:* Because you would than also need a CRL for the CRL.. literally speaking

Mark Vonk (mark.vonk@dahvo.com)
2021-04-13 09:04:57

*Thread Reply:* CRL, like certificates, are objects which are always signed, and never used without verifying that signature, so they can be served over plain HTTP. Using HTTPS to serve CRL is just wasted resources; it may even prevent CRL download from working since some implementations (e.g. Windows) refuse to follow HTTPS URL when validating certificates (be it for CRL, OCSP, or extra intermediate CA download), because that would mean SSL, then another certificate to validate, and possibly an endless loop.

👍 Mikey2000, Raul, Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-04-13 09:06:34

*Thread Reply:* Thanks Mark! That explains it!

Mikey2000 (mscottscranton079@gmail.com)
2021-04-13 09:17:50

*Thread Reply:* It looks like with newer versions of Core the CRL is default 443

Raul (rnadal@mobileiron.com)
2021-04-13 11:47:53

*Thread Reply:* I think that the sentence from the article is “you’d fall into an endless loop”

Raul (rnadal@mobileiron.com)
2021-04-13 11:49:21

*Thread Reply:* This is the answer to that question from a MS MVP on the internet.

“Use HTTP since Microsoft clients no longer support HTTPS for downloading CRLs. Think about it, you are setting up a chicken and the Egg scenario. 1) I need to download the CRL 2) Oh the site is protected by SSL 3) Look the SSL certificate has a CDP extension. 4) Goto Step 1

Remember that a CRL is a public domain object and contains non-privacy information.”

Mikey2000 (mscottscranton079@gmail.com)
2021-04-13 11:50:19

*Thread Reply:* But why is Core using 443 for CRL as default with new versions then?

Raul (rnadal@mobileiron.com)
2021-04-13 11:50:31

*Thread Reply:* Good question

Raul (rnadal@mobileiron.com)
2021-04-13 11:50:43

*Thread Reply:* I still have 8080

Raul (rnadal@mobileiron.com)
2021-04-13 11:50:58

*Thread Reply:* I’d open a ticket with MI Support to ask that

Raul (rnadal@mobileiron.com)
2021-04-13 11:51:11

*Thread Reply:* it’s a valid question

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-04-13 11:51:22

*Thread Reply:* I have installed a new version in my lab and there is 443 default - this confuses me.

Mark Vonk (mark.vonk@dahvo.com)
2021-04-13 12:10:34

*Thread Reply:* Since Core 10.5 it should default to 8080

Raul (rnadal@mobileiron.com)
2021-04-13 13:03:23

*Thread Reply:* This is from Core 10.4 manual

Raul (rnadal@mobileiron.com)
2021-04-13 13:03:25

*Thread Reply:* Reachability of Local Certificate Authority CRL distribution points: The default port and protocol have changed for provisioning Local CA Certificate Revocation List distribution points (CDPs). The System Manager now configures CDPs to use port 8080 and protocol HTTP by default. Previously, the defaults were port 443 and HTTPS. Local CA CDPs that were configured to use HTTPS through port 443 will still be reachable. For more information, see “Port Settings” in the MobileIron Core System Manager Guide.

Raul (rnadal@mobileiron.com)
2021-04-13 13:04:15

*Thread Reply:* So Core 10.5+ should install CA CRL over http by default, to avoid issues

Woody (eric.woodland@trust.tc)
2021-04-13 18:57:39

Yeowch. https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-login-due-to-expired-certificate/

BleepingComputer
Woody (eric.woodland@trust.tc)
2021-04-13 18:58:57

*Thread Reply:* Twitter reveals they have released updated versions of the code with current certificates ~3 hours ago

Caryn (Csnshop@icloud.com)
2021-04-13 21:16:48

*Thread Reply:* 🤯

Woody (eric.woodland@trust.tc)
2021-04-13 21:33:11

*Thread Reply:* @Caryn Makes you wonder if something/someone was disgruntled as part of the acquisiton

😏 Caryn
Woody (eric.woodland@trust.tc)
2021-04-14 20:19:14

By chance, anyone having issues enrolling Apple devices to MobileIron Cloud? Edit: It seems to be specific to the NA2 cluster

Woody (eric.woodland@trust.tc)
2021-04-14 20:21:40

*Thread Reply:* Attempting via web-based and User Enrollment (kicked-off from the MI Go App) and seeing the same result

Woody (eric.woodland@trust.tc)
2021-04-14 20:22:19

*Thread Reply:* Also tried using Cellular and WiFi. Same result. Really odd

Justin Butts (justin.butts777@gmail.com)
2021-04-15 00:54:36

*Thread Reply:* Received a few of these today in Core

😳 Woody
Justin Butts (justin.butts777@gmail.com)
2021-04-15 00:54:41

*Thread Reply:* just a fluke on our side

Woody (eric.woodland@trust.tc)
2021-04-15 15:08:17

*Thread Reply:* Interesting @Justin Butts. This one was weird, because it’s in the MI Cloud hosted environment

Woody (eric.woodland@trust.tc)
2021-04-15 15:40:29

*Thread Reply:* Still continuing to be a hit-or-miss scenario

‼️ Justin Butts
mahiroux (mhyb.mk@gmail.com)
2021-04-16 09:41:50

Is it possible to configure kerberos for Sharepoint on AE docs@work without Hypergate,if i use app connect and do not use web-view?

Woody (eric.woodland@trust.tc)
2021-04-16 14:57:34

*Thread Reply:* @mahiroux IIRC (and it has been awhile).. Docs@Work enabled with AppConnect would connect with the Sentry which would use an identity certificate.. which could be configured in the Sentry to use Kerberos for the SharePoint site/URL.

👍 mahiroux
Mark Vonk (mark.vonk@dahvo.com)
2021-04-20 14:52:26

*Thread Reply:* AppConnect is not supported within Android enterprise. The only viable option is hypergate right now.

mahiroux (mhyb.mk@gmail.com)
2021-04-20 16:36:54

*Thread Reply:* Looks like apptunnel is still supported in AE docs@work.I am still able to connect backend services from Docs@work.

Mark Vonk (mark.vonk@dahvo.com)
2021-04-20 16:38:28

*Thread Reply:* It might work, but officially it is not supported. See: https://help.mobileiron.com/s/article-detail-page?Id=kA13n000000PQSACA4

Mark Vonk (mark.vonk@dahvo.com)
2021-04-20 16:39:34

*Thread Reply:* AFAIK appconnect for Android is only maintained to service customers still on DA

👍 Woody
Jeroen (kruitje@outlook.com)
2021-04-16 15:43:11

@Jeroen has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-04-20 09:38:11

MobileIron Core -> Security Policy > If a device has not connected to Core within x days is enabled with „Block Email, AppConnect apps and Send alert“ If we look under ActiveSync within Core, users which have violated this rule still have the status ALLOWED. Shouldn’t this be set to blocked? We use iOS native mail - FQDN is Sentry. The alert is working - Core is sending this alert

Steve Hayton (shayton@bridgeway.co.uk)
2021-04-20 10:42:06

*Thread Reply:* Hi Mikey, the block is being done by the Sentry server stopping the connection. Does not affect the underlying ActiveSync

Mikey2000 (mscottscranton079@gmail.com)
2021-04-20 11:40:06

*Thread Reply:* Thanks Steve. But since the mail client connects to Sentry, it should be blocked, right? I don’t understand the purpose of Sentry in this case if EAS will not be blocked

Steve Hayton (shayton@bridgeway.co.uk)
2021-04-20 12:00:25

*Thread Reply:* The clients talk to the Sentry and then the Sentry talks to EAS. If the Sentry blocks the connection then the client does not get email as there is no route for it. Exchange itself knows nothing about this block

Mikey2000 (mscottscranton079@gmail.com)
2021-04-20 12:51:13

*Thread Reply:* Right thats is exactly what I mean. But the device still can sync emails via Sentry and the ActiveSync status on Core is not blocked even though the alert was triggered

Mark Vonk (mark.vonk@dahvo.com)
2021-04-20 14:55:52

*Thread Reply:* Maybe the device has been manually allowed. The block in that case won't be executed. Delete the activesync device on Core and once the device connects again,, it should be blocked now. Never manually allow ActiveSync device as it will break the automatic Block feature.

mahiroux (mhyb.mk@gmail.com)
2021-04-20 10:14:00

Some of the OPPO phones,users have personal apps such as Facebook in work profile.How do we disable personal apps appearing in the work profile?

Mark Vonk (mark.vonk@dahvo.com)
2021-04-20 14:53:42

*Thread Reply:* In the lockdown policy you can define a blacklist of system apps to block.

mahiroux (mhyb.mk@gmail.com)
2021-04-20 16:12:17

*Thread Reply:* Do i need to blacklist all package ID of system apps?I am wondering why would Facebook and Gamespace considered as system app in OPPO?

Mark Vonk (mark.vonk@dahvo.com)
2021-04-20 16:15:14

*Thread Reply:* It varies by manufacturer, device and Android version which apps are deemed system apps. With Samsung on Android 11 Facebook is also a system app. I do not understand this either. I believe @Jason Bayton is passionate about this (ab)use too. Anyway, yes you need to add the package identifiers, like you did in the example 👌

🔥 Jason Bayton, mahiroux
mahiroux (mhyb.mk@gmail.com)
2021-04-20 16:23:13

*Thread Reply:* @Mark Vonk Thanks.What is the easiest way to get the package Id of this apps.We have a BYOD policy and users are coming up with as many brands are available in the market.

Mark Vonk (mark.vonk@dahvo.com)
2021-04-20 16:36:28

*Thread Reply:* I use an app like the following to find the app id: https://play.google.com/store/apps/details?id=com.csdroid.pkg Unfortunately with BYOD, you can't disable all system apps upon registration. This is AFAIK only available for Device Owner enrollments.

play.google.com
Jason Bayton (jason@bayton.org)
2021-04-20 16:38:44

*Thread Reply:* Reach out to Oppo support to raise it with them as officially as you can. Send me screenshots showing the issue and I'll escalate with Google also. They've screwed up the vital app config either accidentally or purposefully

Daniel Kr. (daniel.kraussler@cancom.at)
2021-04-22 10:01:27

hello everyone, I have the following problem with webdav and docs@work under iOS, Mobileiron Core v11.1, configuration created in MobileIron core etc., as soon as I call the site in docs@work comes the authentication after entering the credentials comes again the popup with the authentication the whole thing in an endless loop on the sentry at the trace you see anonymous 401 error, the whole thing about safari or chrome browser or other webdav apps works, only docs@work just does not want, under android runs the whole thing, knows this behavior who?

mahiroux (mhyb.mk@gmail.com)
2021-04-26 13:20:39

Hello, I have removed some of the apps from ‘ Silently install for mandatory app’ option for Android enterprise deployment.Post this change,newly enrolled users do not see these apps in Managed play store however existing users who were already using android enterprise see the apps even if they register a new device.Has anyone noticed some behavior?

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-04-28 16:16:28

@Gianmarco Cerruti has joined the channel

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-04-28 16:21:07

Hello everyone! I am a sporadic user of MobileIron, I was setting up an Android 9 device in Fully Managed mode and I was wondering is it possible to block the use of an app? For example on this device Facebook is installed natively and I don't want users to be able to use it. From what I see I can blacklist the app and receive a non-compliance notification but not block its use. Are there any other configurations to set? Thanks!

Woody (eric.woodland@trust.tc)
2021-04-28 16:26:36

*Thread Reply:* Hola @Gianmarco Cerruti - Are you using Zero Touch? You can use the DPC Options to configure whether the system apps are enabled/disabled, etc https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxOmCAK

Florent N. (Florent.NOSARI@econocom.com)
2021-04-28 17:41:14

*Thread Reply:* You can disable it from Lockdown if Core or restriction config if Cloud

Woody (eric.woodland@trust.tc)
2021-04-28 19:51:39

*Thread Reply:* If you want full control over the device and apps, it’s easier to just disable system apps and usher-in what’s needed. Then you know the bloatware is off the device and you’re in full control of what apps are installed/available for request to install.

👍 Mark Vonk
Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-04-29 08:21:59

*Thread Reply:* Thanks everyone! For these devices I disabled the app from the restrictions. In the future I will consider to disable them directly in the enrollment phase, but I think it is possible only for KME Samsung or Zero Touch AE, or I can from MobileIron regardless?

Steve Hayton (shayton@bridgeway.co.uk)
2021-04-29 08:31:21

*Thread Reply:* Hi, using QR code for Device Owner mode there is a tickbox inside the MobileIron Provisioner app that lets you remove system apps, it is not Knox or Zero Touch dependent

👍 Woody
Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-04-29 08:43:33

*Thread Reply:* Perfect! Can I kindly ask in which menu I find the QRcode configuration for enrollment on MobileIron cloud console? thanks!

Steve Hayton (shayton@bridgeway.co.uk)
2021-04-29 08:48:10

*Thread Reply:* Will PM you

Woody (eric.woodland@trust.tc)
2021-04-29 16:07:47

*Thread Reply:* Good one, @Steve Hayton! Yes, all that is initiated via the QR code that is generated (for whatever system you are enrolling into). In this case, the MI Provisioner App. Others dynamically generate the QR code inside the Admin/management UI, etc.

Steve Hayton (shayton@bridgeway.co.uk)
2021-04-29 16:22:50

*Thread Reply:* thanks Woody, all done and confirmed working :)

💪 Woody
Woody (eric.woodland@trust.tc)
2021-04-29 17:22:11

*Thread Reply:* Awesome @Steve Hayton!

Kiran Patel (kiran@kiranpatel.net)
2021-05-04 21:59:39

Does anyone know if Citrix Workspaces supports iOS Managed appconfig for the server URL?

Peter Mohr (pm@conscia.com)
2021-05-04 22:05:55

*Thread Reply:* It doesn’t Citrix now have some fancy e-mail discovery config thing online

Peter Mohr (pm@conscia.com)
2021-05-04 22:15:22

*Thread Reply:* https://www.citrix.com/blogs/2013/04/01/configuring-email-based-account-discovery-for-citrix-receiver/

Citrix Blogs
Kiran Patel (kiran@kiranpatel.net)
2021-05-05 01:13:12

*Thread Reply:* Thanks! I was hoping to pre populate our Citrix cloud tenant for the iOS app so users do t have to type it in

Kiran Patel (kiran@kiranpatel.net)
2021-05-07 04:01:53

*Thread Reply:* Figured I would share in case this helps anyone. Figured this out with the help of Citrix

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>url</key> <string>companyurl.cloud.com</string> </dict> </plist>

Kiran Patel (kiran@kiranpatel.net)
2021-05-07 04:02:19

*Thread Reply:* should have tried URL but I tried almost every other permutation of it lol

Almar Diehl (almar.diehl@blaud.com)
2021-05-05 08:31:30

Anyone else seeing this? After upgrading Core server to 11.2 for some reason all Exchange ActiveSync profiles are modified and send to all devices. This leads to a full sync when using kerberos authentication and users having to enter their password when using basic authentication.

Steve Hayton (shayton@bridgeway.co.uk)
2021-05-05 08:36:44

*Thread Reply:* Hi, I did our live (Exchange ActiveSync through a Sentry to Google) and Demo (Exchange ActiveSync through a Sentry to Office 365) yesterday with no Exchange profile modification/resend. I don't have a test with on prem any to test your specific use case but as far as I can tell this is not a global "Exchange Config" issue

Thomas B. (tbosboom@apple.com)
2021-05-06 13:22:54

*Thread Reply:* I received a notification from a certain local ACN about this …

Justin Butts (justin.butts777@gmail.com)
2021-05-06 15:29:44

*Thread Reply:* This is concerning - we have core updates due soon.

Mikey2000 (mscottscranton079@gmail.com)
2021-05-05 12:50:57

Is there a way to find out via CLI if the access to the admin portal of Core was restricted and is only accessible for certain IP ranges? We can’t access the admin portal anymore and I suspect one of the other admins misconfigured this within the System Manager of Core.

mahiroux (mhyb.mk@gmail.com)
2021-05-05 13:33:51

*Thread Reply:* Did you try ‘show portalacl’ in enable mode?

Mikey2000 (mscottscranton079@gmail.com)
2021-05-05 13:34:30

*Thread Reply:* Not yet

mahiroux (mhyb.mk@gmail.com)
2021-05-05 13:40:04

*Thread Reply:* It shows you the current acl rules.You can also change rules in config mode.

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-05-05 13:58:40

*Thread Reply:* Great thank you

Sherman Chen (sherm@me.com)
2021-05-05 19:22:13

@Sherman Chen has joined the channel

Justin Butts (justin.butts777@gmail.com)
2021-05-06 15:32:49

Hey folks, seeing some really stupid behavior with AE Work Profile enrollments on Android 10 and 11 Samsung devices of varying models on Core 10.0.0.1. Apps approved and deployed through AE no longer show up in MGP store on devices. Search for the app - nothing, only MobileIron and Webview Services (I believe it was). Have refreshed Google cert, updated play store services etc, collected logs. At this point MobileIron is escalating to Google which is...frustrating to me. Anyone else see this or experience something similar?

Ajay Patel (ajay5675@msn.com)
2021-05-06 16:19:52

*Thread Reply:* not strictly mobileiron related but had something similar with WS1 before they put a fix in, that if you had an auto app update policy mixed in with any other policies it would cause issues and no apps will appear in the stores. The app update policy had to be seperate. Not sure if the same issues were seen across other MDM's but perhaps that could be a starting point.

👍 Justin Butts
Mark Vonk (mark.vonk@dahvo.com)
2021-05-06 17:16:59

*Thread Reply:* After updating Google play and the webview, do the other apps show up? What version of Google play store is installed?

mahiroux (mhyb.mk@gmail.com)
2021-05-06 17:38:42

*Thread Reply:* I have noticed some what similar behavior.However apps get installed and are available in MGP when ‘silent install apps for mandatory apps’ option is selected but its rationale was not understood.

Justin Butts (justin.butts777@gmail.com)
2021-05-06 18:41:09

*Thread Reply:* @Mark Vonk No other apps show up, Play services have yesterdays update, but issue existed prior as well

Justin Butts (justin.butts777@gmail.com)
2021-05-06 18:41:24

*Thread Reply:* @mahiroux yes, silent installs and the apps come down...usually....but cannot see them in the MGP store at all

Justin Butts (justin.butts777@gmail.com)
2021-05-06 18:41:38

*Thread Reply:* and don't want to silent install everything haha

Stuart Brown (stuartbrown@google.com)
2021-05-19 00:40:08

*Thread Reply:* Did you by chance setup a Custom Store Layout (for example via the MobileIron iframe play store ui). If you did create a layout, I'm not quite sure if it can be undone so that all newly added apps are automatically added. Possibly a ticket to MI so that they can escalate to Google to clear the collections back to 'basic'

Justin Butts (justin.butts777@gmail.com)
2021-06-15 15:12:41

*Thread Reply:* Just to update this thread - Google has been involved for 3+ weeks now, and has so far been unable to fix this. I am having a really hard time with how this isn't a widespread issue

Justin Butts (justin.butts777@gmail.com)
2021-06-15 15:13:07

*Thread Reply:* Seems to be specific to MI Core - have not heard of this from other mdm vendors

Mark Vonk (mark.vonk@dahvo.com)
2021-06-15 15:14:06

*Thread Reply:* Is this is a relatively new Enterprise Google ID used for managed Google play?

Justin Butts (justin.butts777@gmail.com)
2021-06-15 15:16:53

*Thread Reply:* It's existed since at least late January

Justin Butts (justin.butts777@gmail.com)
2021-06-15 15:17:27

*Thread Reply:* worked as expected for a few months then...this

slackbot
2021-05-30 14:43:04

This message was deleted.

Kiran Patel (kiran@kiranpatel.net)
2021-06-01 19:52:54

*Thread Reply:* did you update the config file that looks at the user agent? what does it look like?

Mikey2000 (mscottscranton079@gmail.com)
2021-06-01 19:54:20

*Thread Reply:* You mean config file of the existing relying party trust?

Kiran Patel (kiran@kiranpatel.net)
2021-06-03 04:06:51

*Thread Reply:* no there is a config page update you need to make for adfs page so it routes only mobile traffic to this relying party.

Kiran Patel (kiran@kiranpatel.net)
2021-06-03 04:08:21

*Thread Reply:* MI Access tries to obfuscate the change but the ADFSWebTheme change outlined in the instructions does this

Kiran Patel (kiran@kiranpatel.net)
2021-06-03 04:09:00

*Thread Reply:* make sure that is only made to the relying part intended to and not the default web theme

Almar Diehl (almar.diehl@blaud.com)
2021-06-02 08:59:52

Warning: the SSL certificate for support.mobileiron.com expired. So currently no Core/Sentry upgrades and KME enrollments possible. For KME I changed the download URL to https://play.google.com/managed/downloadManagingApp?identifier=mobileiron.core for now.

‼️ Justin Butts
Almar Diehl (almar.diehl@blaud.com)
2021-06-02 10:33:02

*Thread Reply:* Certificate has been renewed, problem solved.

👍 Woody
Woody (eric.woodland@trust.tc)
2021-06-02 19:44:34

*Thread Reply:* Ivanti clearly still learning the ropes with their new acquisition

Justin Butts (justin.butts777@gmail.com)
2021-06-07 23:13:58

*Thread Reply:* reason #3,894 I can't wait to leave MI behind

😆 Woody
Yth (enis_1990_@hotmail.com)
2021-06-08 13:22:53

Is it possible to use Multi-user Secure Sign-In for iOS for MobileIron Cloud where Microsoft apps gets uninstalled AND the user logged in is removed (cached user credentials)? Seems that you need to manually log off from an MS app and then you get logged of completely.. What I want to accomplish is that when next user signs in, the Microsofts apps gets reinstalled and the new user needs to sign in into MS-app.

Woody (eric.woodland@trust.tc)
2021-06-08 18:45:17

@Yth I’d be curious to know if it’s possible with Microsoft apps. I found no way to force this with Google accounts.

Woody (eric.woodland@trust.tc)
2021-06-08 18:45:54

Are you able to use iPadOS/Shared iPad? That’s really the direction people need to start learning towards.

Yth (enis_1990_@hotmail.com)
2021-06-08 18:48:56

*Thread Reply:* Customer is not using Managed Apple ID:s for now and I need to find a solution when user gets logged out - MS apps gets removed - next user signs in - MS apps gets reinstalled and no existing account is logged in in the MS apps

Woody (eric.woodland@trust.tc)
2021-06-08 18:58:14

*Thread Reply:* Yeah / For my customer with GSuite.. it just came down to reminding users to log-out of their account when they finished using the device. Not perfect by any means, but they too did not not have managed IDs.

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-12 13:19:05

@Bill Fitzgerald has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-06-13 17:33:53

This is from the device logs on Core - does this mean the user removed the MDM profile?

Woody (eric.woodland@trust.tc)
2021-06-14 17:30:41

@Mikey2000 That appears to be Core programmatically removing MDM profile from the device.

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-15 19:59:45

Anyone see access to the system manager\admin manager portal running slowly there was an upgrade done ~5-6 weeks and all went well just giving a LDAP resync error, anythings I would need to try (vms are hosted by customer, worth doing a reboot or is something else at play here)

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-15 20:01:30

Core is at 11.0.0.1 and Two sentries at 9.9.0

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-15 20:05:08

Found an article in MI University

MobileIron Core: Slow Dashboard and Devices Tabs After Upgrading to Core 11.x

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-15 20:05:32

Just wondering if anyone has seen this recently? And what remediation steps they took, thanks in advance

Ala Almaet (ala@alaalmaet.com)
2021-06-15 22:47:47

@Bill Fitzgerald you will need to allow outbound access to pcs.mobileiron.com which is covered off in the article

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-15 23:22:06

Thanks Ala, what changed is it just due to the 11 build as per article

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-15 23:22:40

Its even very slow to access through credentials

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-15 23:23:01

Thanks @Ala Almaet have you seen this before?

Ala Almaet (ala@alaalmaet.com)
2021-06-16 04:03:26

@Bill Fitzgerald yes this is a known issue that customers have experienced with the fix to implement the work around provided in this article https://help.mobileiron.com/s/article-detail-page?Id=kA13n000000PTxICAW It also mentions that this is to be addressed long term in Core 11.3

👍 Bill Fitzgerald
macbentosh (benbergthold@gmail.com)
2021-06-16 20:23:56

alright what does MI have for reporting? Any hookup to Ivanti CI

macbentosh (benbergthold@gmail.com)
2021-06-16 20:24:35

Anyway to make a user input their cost center and dept at core enrollment?

Peuge (peuge.benjamin@gmail.com)
2021-06-16 20:45:46

@macbentosh Core or Cloud? DEP or BYOD? IF the Cost Center is part of their AD Attributes then you can leverage a Custom Attribute to report based on const center

Jason (jasonh@bridgeway.co.uk)
2021-06-16 21:15:01

May I suggest IronWorks - now for Cloud (as well as on-prem Core)?

Govi (byodmdm@gmail.com)
2021-06-17 12:12:08

#Android12 Beta 2 failed to activate with Mobileiron Android Enterprise ! Keep circling inside Mobile@Work to get th updates for more than 20-30 minutes... How about your situation?

Govi (byodmdm@gmail.com)
2021-06-25 05:50:56

*Thread Reply:* anyone observed this ?

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-06-17 13:20:48

Quick one guys, for a MDM cert renewal, customer gets zero bytes CSR see it in MI University and a reboot of Core is mentioned, anyone see this before, what internet access is required for a MDM cert renewal?

Florent N. (Florent.NOSARI@econocom.com)
2021-06-17 13:21:48

*Thread Reply:* A previous KB said to try 10 times

👍 Bill Fitzgerald
Ala Almaet (ala@alaalmaet.com)
2021-06-17 13:36:58

*Thread Reply:* Need to make sure access to Apple servers I believe

Mark Vonk (mark.vonk@dahvo.com)
2021-06-17 13:59:00

*Thread Reply:* The CSR is created on the MobileIron Cloud infra (gateway) There was some maintenance yesterday (SRE-158305). It should be up and running fine now.

👍 Bill Fitzgerald
Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-07-01 21:22:56

*Thread Reply:* Thanks it looks like internal issues, shutdown of all their internet services\firewall change freeze (sorry for delay in getting back on this, i appreciate the help) 🙂

Mikey2000 (mscottscranton079@gmail.com)
2021-06-24 17:55:07

I know this has been discussed here but I can’t find it anymore. We want to enroll Android 11 WPCOD devices with Knox Mobile Enrollment with MobileIron Core. That doesn’t work anymore. There was a special setting within the KME json, right? By any chance someone can drop that to me?

Almar Diehl (almar.diehl@blaud.com)
2021-06-24 18:33:06

*Thread Reply:* You mean:

{"workProfileEnabled":true,"quickstart":true} ?

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-06-24 18:56:50

*Thread Reply:* Yes I believe thats it! Thank you

Kiran Patel (kiran@kiranpatel.net)
2021-06-27 17:47:56

Anyone here have luck getting the zScaler Proxy Client to work with MobileIron Access? In our testing on macOS the traffic to auth is not routing via MI Access

🤔 Woody
Kiran Patel (kiran@kiranpatel.net)
2021-06-27 17:48:00

Safari works fine for other apps

Kiran Patel (kiran@kiranpatel.net)
2021-06-28 15:04:38

its an interesting pickle given ones a http proxy steering agent and one is a device wide vpn

Woody (eric.woodland@trust.tc)
2021-06-28 19:07:48

@Kiran Patel How do you have Access positioned? As the entry point for Auth or is it being del-auth’d from the primary IdP? So when you attempt to access an SP.. is the traffic that should be bound for Access just being null routed or not initiating at all?

Kiran Patel (kiran@kiranpatel.net)
2021-06-28 19:08:15

*Thread Reply:* zScaler's IDP for SSO is Okta. Okta is DelIDP to MI Access

Kiran Patel (kiran@kiranpatel.net)
2021-06-28 19:08:45

*Thread Reply:* I get the okta login page, it hits mi access and MI Access sees it as an untrusted device

Woody (eric.woodland@trust.tc)
2021-06-28 19:09:17

*Thread Reply:* Interesting. So I wonder if something isn’t handing-off (user agent) from zScaler to Okta

Woody (eric.woodland@trust.tc)
2021-06-28 19:09:32

*Thread Reply:* but you said it does redirect to Access from Okta

Woody (eric.woodland@trust.tc)
2021-06-28 19:09:57

*Thread Reply:* Okay, so actually the chain there checks-out

Woody (eric.woodland@trust.tc)
2021-06-28 19:10:38

*Thread Reply:* It’s just when the MacOS device gets dropped-off at Access that its failing to serve-up its trust credentials

Woody (eric.woodland@trust.tc)
2021-06-28 19:13:32

*Thread Reply:* @Kiran Patel and before zScaler, Access was seeing the same MacOS device as trusted (Tunnel/VPN/Cert) and the SSO cycle would complete?

Kiran Patel (kiran@kiranpatel.net)
2021-06-28 21:13:20

*Thread Reply:* yup exactlly, I don't think the macOS packet tunnel is able to load due to the zscaler steering agent

👍 Woody
Kiran Patel (kiran@kiranpatel.net)
2021-06-28 21:13:26

*Thread Reply:* safari, etc all works

Kiran Patel (kiran@kiranpatel.net)
2021-06-28 21:13:31

*Thread Reply:* its just the zscaler app itself I can't get to SSO

😭 Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-06-29 15:59:25

Anyone else having iOS device check-in issues with MobileIron Core? Device will only check-in after a reboot of the device. APNS service is ok. Telnet to the APNS gateway also works. Within the M@W logs i found: Error: Domain=MIAuthErrorDomain Code=401 „refresh token is not valid“ Related? Core 11.2 M@W is up to date.

Phil Hackett (phil.hackett83@gmail.com)
2021-07-01 08:29:43

*Thread Reply:* What iOS version are the affected devices? There was a known check-in issue which was fixed in iOS 14.6.

Issue: iOS 14.x was found to stop processing MDM commands once a device receives a ManagedMediaList command.

Core check-ins include the ManagedMediaList command, even if you don’t use Managed books.

We found that affected devices were fixed by a reboot. This was confirmed by Apple support.

Mikey2000 (mscottscranton079@gmail.com)
2021-07-01 08:51:13

*Thread Reply:* Thanks for the info. The device has version 14.6

Kiran Patel (kiran@kiranpatel.net)
2021-07-01 03:49:43

Anyone able to get macOS configured with Tunnel (packet tunnel) and " Extensible Single Sign-On Kerberos"

Kiran Patel (kiran@kiranpatel.net)
2021-07-06 18:34:48

*Thread Reply:* I keep getting cert not found even though its on the device and I can chose it from identities

Bruno TestCWSI (brunocwsi@gmail.com)
2021-07-01 21:22:12

@Bruno TestCWSI has joined the channel

Iortx (jorge.barturen@gmail.com)
2021-07-12 15:26:47

we're configuring first time kiosk mode in our enterprise environment with MobileIron. Our users are worried with the new way of working because the icons of the dashboard are very very small.

Probably is possible to configure from MobileIron Core console but we haven't achieved yet where is the place to change this feature.

Can anybody help me please? Thanks in advanced.

Mikey2000 (mscottscranton079@gmail.com)
2021-07-14 16:52:26

MobileIron Access (As A Service) question - if we enable MobileIron Access within the VPN config for iOS devices and add this VPN to the Microsoft Teams app, all the Teams traffic will be routed through Access, not only the authentication, right? We are not tunneling the traffic through Sentry. Our users complain that video calls will get cut off and have poor quality.

Justin Butts (justin.butts777@gmail.com)
2021-07-14 17:55:43

*Thread Reply:* Curious what the real world implications are here - we're juggling something similar and I can't imagine a live chat / video / conference call app is going to be a good experience if it's forced to VPN everything. Anxiously awaiting followup haha

👍 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-07-14 18:27:05

*Thread Reply:* Totally with you on this. I am sure @Raul can help us out with this one! 😜

Woody (eric.woodland@trust.tc)
2021-07-14 19:24:34

*Thread Reply:* IIRC you can selectively choose what is included in the tunnel. It should just be anything that matches your auth service URLs, etc. Everything else can be left alone.

Mikey2000 (mscottscranton079@gmail.com)
2021-07-14 19:35:27

*Thread Reply:* Gotcha. And for the case we just want to have the Access authentication use the VPN, how would the iOS VPN config has to look like - does anyone have an example or a link to a document how this should loom like?

Clark (76clark@gmail.com)
2021-07-14 20:47:05

*Thread Reply:* All traffic will routed through Access. Only authentication will be sent to Access. Due to how Tunnel works with the iOS per app VPN it will cause issues with the calling and video though. You have 2 options. 1. Don't apply a per app vpn to Team and instead distribute MS Authenticator and tunnel that app. 2. Configure the On Demand Tunnel config which is an always on VPN

Mikey2000 (mscottscranton079@gmail.com)
2021-07-14 21:10:58

*Thread Reply:* But If I don’t apply the VPN to the Teams app Access will detect Teams as an untrusted app.

Mark Vonk (mark.vonk@dahvo.com)
2021-07-15 11:40:14

*Thread Reply:* The authentication traffic only needs to go through Access. You can get that by setting up an on-demand vpn which connects automatically when the authentication URL (your adfs for example) is being called.

👍 Mikey2000, Justin Butts, Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-07-15 11:45:25

*Thread Reply:* Do you have an example config how this should look like?

Justin Butts (justin.butts777@gmail.com)
2021-07-15 16:16:19

*Thread Reply:* @Clark would you be able to confirm what Mark said here? Will that solve for this, without the degradation of voice and video?

Mikey2000 (mscottscranton079@gmail.com)
2021-07-15 19:40:49

*Thread Reply:* Within the on-demand tunnel config we need packet-tunnel instead of app-proxy (provider type) right? Can that coexist with another per-app vpn config for tunnel, because we also tunnel other apps via sentry.

Mikey2000 (mscottscranton079@gmail.com)
2021-07-15 19:43:19

*Thread Reply:* I am not really following Clarks option 1 with the MS authenticator app. The user opens the Teams app, which should go through the Tunnel in order for Access to allow the app. How would MS authenticator help here?

Clark (76clark@gmail.com)
2021-07-15 21:38:27

*Thread Reply:* For option 1, if MS Authenticator is present on a device and you need to authenticate due to a expired authentication token, Teams will reach out to MS Authentication to authenticate on its behalf and then MS Authenticator will give the token to Teams. Since Authenticator does all the work, Teams does not need a VPN so there is no degradation of service for call and video. Also make sure that Access FQDN is listed in the Safari domains section of the VPN as MS Authenticator requires it.

🔥 Justin Butts, Woody
👍 Justin Butts, Woody, Mikey2000
Woody (eric.woodland@trust.tc)
2021-07-15 22:04:32

*Thread Reply:* Boom @Clark!

Mikey2000 (mscottscranton079@gmail.com)
2021-07-16 06:47:23

*Thread Reply:* Thank you @Clark 👍🙌 And the Access FQDN would be like: access-eu1.mobileiron.com or do I need the tenant GUID in the FQDN?

Clark (76clark@gmail.com)
2021-07-17 01:41:59

*Thread Reply:* What you listed will work

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-07-17 17:22:44

*Thread Reply:* How would I apply the same concept to Android Enterprise devices since the VPN config is not used there? Add routes within the Tunnel app configuration? Enable Split Tunnel within the Access portal? As far as I know If I configure a Sentry within the Tunnel configuration and no routes, authentication will be send to Access and everything else to Sentry.

Clark (76clark@gmail.com)
2021-07-20 13:46:53

*Thread Reply:* Split Tunnel in Access is for iOS only. First question, do you have a need to route any traffic through a Sentry on Android or did you want to use Access only?

Mikey2000 (mscottscranton079@gmail.com)
2021-07-20 14:38:55

*Thread Reply:* Ah ok. Yes, we have a couple of internal web services that we use via Sentry. And know we want to add O365 services which we need to secure via Access.

Clark (76clark@gmail.com)
2021-07-20 15:16:55

*Thread Reply:* just do something like

Clark (76clark@gmail.com)
2021-07-20 15:17:24

*Thread Reply:* this is assuming that the internal network is using the 10 range. Update to suit

Mikey2000 (mscottscranton079@gmail.com)
2021-07-20 15:24:34

*Thread Reply:* Great thanks. And put the MS Teams app into the disallowedapplist, right? Just out of curiosity, you placed com.mobileiron etc in the disallowedapplist.

Clark (76clark@gmail.com)
2021-07-20 15:27:48

*Thread Reply:* I would leave Teams out of the disallowed list otherwise during authentication you will be marked as untrusted. Using the split tunnel rules you will only tunnel Teams during authentication to Access. Maybe also the IDP if on premise like ADFS as well.

Clark (76clark@gmail.com)
2021-07-20 15:28:18

*Thread Reply:* What is the question regarding com.mobileiron?

Clark (76clark@gmail.com)
2021-07-20 15:46:39

*Thread Reply:* in case you are interested this is the full list I generally start with as a disallowed list when on Core: com.mobileiron;com.mobileiron.client.android.pim;com.mobileiron.tunnel.android.release;com.android.vending

🙏 Mikey2000
Clark (76clark@gmail.com)
2021-07-20 15:46:51

*Thread Reply:* For Cloud I use: com.mobileiron.anyware.android;com.mobileiron.client.android.pim;com.mobileiron.tunnel.android.release;com.android.vending

🙏 Mikey2000
Clark (76clark@gmail.com)
2021-07-20 15:47:07

*Thread Reply:* All credit for these lists goes to @Raul

🙌 Woody, Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-07-20 18:47:34

*Thread Reply:* That solved all my questions, thank you 🙏

👍 Clark, Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-07-22 20:39:53

MobileIron Access & Citrix ADC (Netscaler) as IdP - is this supported?

Clark (76clark@gmail.com)
2021-07-22 22:21:02

if the federation between Citrix ADC and the SP uses SAML 2.0 standards then likely yes

👍 Woody, Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-07-23 08:50:19

Is anyone familiar with the status „waiting_send“ on Core for pushing user certificates to the device? The device is not receiving the user certificate.

Steve Hayton (shayton@bridgeway.co.uk)
2021-07-23 10:13:41

Sorry for the question but does a test certificate work?, What type of cert authority are you using (local or NDES)?

Mikey2000 (mscottscranton079@gmail.com)
2021-07-23 10:55:09

*Thread Reply:* NDES - yes issue test cert works

Mikey2000 (mscottscranton079@gmail.com)
2021-07-23 10:58:20

*Thread Reply:* Only one user is affected which i weird

Steve Hayton (shayton@bridgeway.co.uk)
2021-07-23 11:00:00

*Thread Reply:* Try the user with a different device (the easy check) otherwise its look at the cert logs on the NDES server!

Mikey2000 (mscottscranton079@gmail.com)
2021-07-23 11:07:21

*Thread Reply:* Good point, I‘ll try a new device. Why do you suspect an NDES issue, the cert has been issued and is visible on Core.

Steve Hayton (shayton@bridgeway.co.uk)
2021-07-23 11:14:38

*Thread Reply:* Have seen it before with an AD related issue

Mikey2000 (mscottscranton079@gmail.com)
2021-07-23 11:15:41

*Thread Reply:* Thanks! 👍

Mikey2000 (mscottscranton079@gmail.com)
2021-07-23 11:56:45

*Thread Reply:* Ok different device same issue

Mikey2000 (mscottscranton079@gmail.com)
2021-07-23 18:47:20

Is it true that currently Cloud offers more features for Windows 10 management than Core? In that case would you still recommend Core for W10 or is Cloud the better choice

Clark (76clark@gmail.com)
2021-07-23 20:13:37

Cloud

🙏 Mikey2000
Steve Hayton (shayton@bridgeway.co.uk)
2021-07-26 08:40:56

Was in an Ivanti partner session last week where Ivanti Endpoint Manager (No correlation to Microsoft Endpoint ) was promoted for Windows ahead of Ivanti MobileIron Bridge. Will boil down to use case and best fit.

👍 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-08-05 16:57:01

MobileIron Cloud Firewall requirements - my old MobileIron domain bookmark is not working anymore and I am looking for the Firewall sheet for MobileIron Cloud. Can anyone point me to the new Ivanti document for this?

Ala Almaet (ala@alaalmaet.com)
2021-08-05 23:31:02
Mikey2000 (mscottscranton079@gmail.com)
2021-08-11 14:19:07

Wifi config on MobileIron Core for cert based authentication - we have only checked TLS in the wifi config, not PEAP, but the wifi controller shows the device wants to use PEAP. Does anyone have an explanation for this? Could this be a problem on the radius?

Woody (eric.woodland@trust.tc)
2021-08-11 16:32:25

*Thread Reply:* For use with Apple or Android? I found there to several differences when going this direction, especially depending on what type of RADIUS system you’re interacting with.

Mikey2000 (mscottscranton079@gmail.com)
2021-08-11 16:44:31

*Thread Reply:* For iOS only

Mikey2000 (mscottscranton079@gmail.com)
2021-08-11 16:45:01

*Thread Reply:* We use macmon as radius

Mikey2000 (mscottscranton079@gmail.com)
2021-08-11 16:49:43

*Thread Reply:* Our network guy told me that on the radius he has seen that the devive wants to do PEAP which makes no sense to me because I have not enabled it within the wifi config

Woody (eric.woodland@trust.tc)
2021-08-12 15:24:39

*Thread Reply:* Ah, okay interesting @Mikey2000. Let me pull some of my previous configs and get back with you

Mikey2000 (mscottscranton079@gmail.com)
2021-08-12 15:25:27

*Thread Reply:* Great, appreciate it Woody, thank you.

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-08-12 09:18:51

MobileIron Cloud and Windows 10 Management - is there a way to prevent users from using USB drives and whitelist company USB drives OR do we need MTD for this?

Steve Hayton (shayton@bridgeway.co.uk)
2021-08-12 09:51:41

*Thread Reply:* Hi, look under Windows Desktop Restrictions

Mikey2000 (mscottscranton079@gmail.com)
2021-08-12 09:53:22

*Thread Reply:* Hi.. yes I did. You can disable USB mass storage but I see no option in the GUI to whitelist company approved USB drives.

Mikey2000 (mscottscranton079@gmail.com)
2021-08-12 09:37:29

MobileIron Cloud - how can I enable 2FA for Cloud Admin login?

Steve Hayton (shayton@bridgeway.co.uk)
2021-08-12 09:57:26

*Thread Reply:* Not as we normally know it, under User Settings you can set Admin Auth to password and PIN but it can only deliver PINs to your email account.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-08-12 10:01:34

*Thread Reply:* Should be enough - thank you

Adam Royall (adam.royall@icloud.com)
2021-08-13 00:55:39

@Adam Royall has joined the channel

Bill Fitzgerald (bfitz52@googlemail.com)
2021-08-13 17:16:53

@Bill Fitzgerald has joined the channel

Bill Fitzgerald (bfitz52@googlemail.com)
2021-08-13 17:17:26

Hi guys quick query on MI , what version of sentry supports Exchange 2016 CU21 (latest CU released in July)

Bill Fitzgerald (bfitz52@googlemail.com)
2021-08-13 17:18:05

Looking through the documentation, can't seen it mentioned, customer on 9.12.0 sentry and core 11.1.0.0 any way to know for definite?

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-08-13 17:23:01

I see for 9.13.0 it goes as far as CU20 (using original login now ) 🙂

Steve Hayton (shayton@bridgeway.co.uk)
2021-08-13 17:25:35

9:13 as of yesterday is the only version with any support on it (a little time on 9:12)

👍 Bill Fitzgerald, Mikey2000
Bill Fitzgerald (bfitzgerald@cwsi.ie)
2021-08-13 17:28:56

Is it a case of logging a ticket with MI?

macbentosh (benbergthold@gmail.com)
2021-08-16 21:44:00

so i have an exchange config I want to put out with a password. When i enter it into the payload it says password incorrect. Enter the same password in iOS with no issues...

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-08-26 15:02:29

Hello, I'm working on MI Cloud, and I kindly ask you is it possible to configure a group of Fully Managed Android devices and a group of WPoCOD devices? I thought I could do this with the Android Enterprise configurations and the use of Spaces but the configurations are only enabled for the Default Space. Am I taking the wrong approach? How do you recommend I do this? Thanks in advance

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-09-01 11:30:56

*Thread Reply:* I can't figure out how to manage two different registrations on MobileIron. With Workspace One I can create sub OGs on which I have full choice of the type of Android Enterprise configuration I want to implement. On MobileIron with Spaces I don't find this possible and even groups don't allow me to do so, from what I've seen. Can anyone give me any hints? Thanks!

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-01 16:52:46

*Thread Reply:* Hi, I dont want to cause any confusion but you can use device groups (or even user groups) to differentiate between your config assignment. Is there a specific need you have for Spaces ?

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-09-01 17:08:07

*Thread Reply:* Yes I can use the distribution based on device groups, but my problem is to create the rules for this group. Normally the device is an element that 'appears' on the platform once it has been registered, so I don't know its attributes in advance. I would have liked to configure the distribution of the two profiles (WPoCOD and Fully Managed) based on the user, who is present on the platform or who I can also add manually to a group. So my problem is how do I create two groups of devices that in one case select one type of configuration and in one case another?

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-01 17:19:29

*Thread Reply:* what determines which they should be? If its the person using it then a user group tied back to your IDP seems ideal. If its device type and user you can bring an existing User Group into the ruleset for evaluating a device group. Apologies if this isnt what you are looking for.

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-01 17:22:22

*Thread Reply:*

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-09-01 17:28:45

*Thread Reply:* Many thanks! I came to a similar solution but unfortunately there must be something wrong with the FullyManaged profile configuration, because I can only configure the WPoCOD one. Thanks, at least now I know that the way is correct!

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-01 17:34:49

*Thread Reply:* You may need to reach out to Ivanti support about the FullyManaged - your method is sound so they should be able to give it a once over and assist?

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-09-02 08:18:27

*Thread Reply:* I wouldn't want to do something wrong with the Provisioner app and the QR code it generates, because WPoCOD works fine with Android 11 and configuration distribution with the device group created with the method you suggested. While for Android 9 an Android Enterprise profile registration error appears. However, when I try the Device Owner registration, neither Android 11 (device resets while searching for updates) nor Android 9 (same profile error) works.

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-09-02 08:19:33

*Thread Reply:* I'll try some further analysis and possibly write to Ivanti

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-09-02 08:19:37

*Thread Reply:* Thanks

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-02 08:58:44

*Thread Reply:* Sounds intriguing, the Android 11 Device owner reset indicates that it is not getting the AE configuration at all- (reset is the default response in that case)- try adding the serial number of the test device to a device group and add that explicitly to the Android Enterprise lockdown. if it still fails its definitely one for Ivanti

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-09-02 10:09:54

*Thread Reply:* Thanks...I'll try

Gianmarco Cerruti (gianmarco.cerruti@ennova.it)
2021-09-02 17:05:10

*Thread Reply:* I cleaned up the environment and redid the tests from scratch and now everything works. Thanks for the support

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-02 17:10:25

*Thread Reply:* My pleasure, many times Ive done a revert and retest- sometimes things just don’t work even when they should. Best of luck with the rest of the project.

Mikey2000 (mscottscranton079@gmail.com)
2021-08-27 16:30:37

Azure Partner Compliance with MobileIron Core - after onboarding the device via MS authenticator, within the Azure devices it says MDM = „Intune“. Is the configured compliance partner not shown here?

Mark Vonk (mark.vonk@dahvo.com)
2021-08-27 17:33:12

*Thread Reply:* No, it will say Intune as the MDM even though it’s the Core

Mikey2000 (mscottscranton079@gmail.com)
2021-08-27 17:33:35

*Thread Reply:* Thanks Mark. 👍

Mikey2000 (mscottscranton079@gmail.com)
2021-08-27 17:40:33

I have configured App Protection Policies on Core which seems to work fine - I know there is a option within the Endpoint Manager to see if the App Protection Policy has been applied - I can’t find it. Can anyone point me to the right Azure blade?

Mikey2000 (mscottscranton079@gmail.com)
2021-08-27 17:56:18

*Thread Reply:* I found the check-in count within the app protection policy blade itself - but the count is 0 . Should this work for Core devices?

onires53 (jason.r.serino@gmail.com)
2021-09-01 16:04:57

Anyone using MFA for mobile enrollments into MobileIron on-prem CORE? Looking to enhance our authentication security.

Woody (eric.woodland@trust.tc)
2021-09-02 16:18:18

*Thread Reply:* Are you looking for something like SAML + MFA or just a straight MFA via RADIUIS, etc? Your best bet here is going to be SAML --> MFA. Core just doesn’t have support for anything more, unless you locked-down enrollment to trusted networks and enforced use of VPN to get enrolled, etc.

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-01 16:11:59

slightly different approach have you considered a switch to PIN based auth (either with or without password)- puts you in total control of registrations?

👍 Woody
Tim Evans (timevans666@gmail.com)
2021-09-06 09:26:35

@Tim Evans has joined the channel

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 09:30:16

Hello folks, did someone successfully setup OAuth for iOS through Sentry with Azure Conditional Access ? We follow the setup guide + add login.microsoftonline.net to Safari Tunneled domains but after we login (Azure says that's ok because it pass through Tunnel), we have the message "Cannot verify account information" and we don't de anything in the Sentry logs

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-06 09:42:33

Are you using Native client or Email +?

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 09:44:53

Native client

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-06 09:46:10

Sentry at least 9:12 Core 11+ or Cloud?

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 09:48:41

Yes, Sentry 9.13 and Core 11

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 09:50:24

We followed this guide

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 09:51:23

Everything seems to work until we add Conditional Acccess to allow only traffic from customer ip

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 09:52:12

We can see 401 Unauthorized errors in Sentry logs

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-06 09:57:09

Will have a play around (we use Partner Device Compliance so sidestep the authentication issue as we do not need to tunnel anything)

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 10:01:19

Thanks for your feedback Steve 🙂

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-06 11:24:25

I don’t know if you have seen this - we have tested and confirmed with iOS12 which works https://forums.ivanti.com/s/article/iOS-14-6-breaks-oAuth-functionality-as-v2-0-is-embedded-in-the-oAuth-Urls-in-Client-request

Martin Hodgson (martinh@bridgeway.co.uk)
2021-09-06 11:25:09

Works with Email+.

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 11:25:18

I changed the url manually on my 14.7 iPhone for testing

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 11:25:32

I will try with email+

Martin Hodgson (martinh@bridgeway.co.uk)
2021-09-06 11:29:52

No tunnel specifically needed. Can have Sentry with just ActiveSync and OAuth pass through enabled Confirm OAuth in Sentry logs, look for Authorization: Bearer

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 11:58:25

We have to use Tunnel for auth on login.microsoftonline.net (Access Control base on network location)

Florent N. (Florent.NOSARI@econocom.com)
2021-09-06 11:58:31

Thanks for log info

Florent N. (Florent.NOSARI@econocom.com)
2021-09-08 12:04:58

Issue with MI Cloud eu1 admin ?

Mark Vonk (mark.vonk@dahvo.com)
2021-09-08 12:08:44

*Thread Reply:* It seems so, I have issues connecting to the portal and enrolling devices….

Woody (eric.woodland@trust.tc)
2021-09-08 15:47:25

The MI Cloud Connector - Can you enroll it using a dedicated account inside the tenant? Or does it have to be bound using the Tenant Admin?

Clark (76clark@gmail.com)
2021-09-08 16:34:11

I have used a different account from the EMMAdmin account before and it works fine

Woody (eric.woodland@trust.tc)
2021-09-08 16:48:10

*Thread Reply:* @Clark Does it need any specific roles assigned?

Clark (76clark@gmail.com)
2021-09-08 16:52:22

*Thread Reply:* Think it just needs the System Management but have not tested this. Normally the customer has used another call that had all roles assigned

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-09-16 19:19:25

I am not able to connect Core with Azure for Partner compliance. After entering the tenant id on Core and click connect, the consent prompt opens. If I tick the box and continue, I receive the error „internal server error“. Anyone familiar with this?

Steve Hayton (shayton@bridgeway.co.uk)
2021-09-17 09:04:49

*Thread Reply:* Hi, will PM you

Mikey2000 (mscottscranton079@gmail.com)
2021-09-20 14:21:23

I need to configure Outlook (Android Enterprise) for Exchange Online (modern auth) on Core. Can anyone share a valid config?

Clark (76clark@gmail.com)
2021-09-20 14:29:47

*Thread Reply:* There is not much you really need to do. This would work:

Clark (76clark@gmail.com)
2021-09-20 14:29:49

*Thread Reply:*

Clark (76clark@gmail.com)
2021-09-20 14:30:00

*Thread Reply:* user_custom3 is UPN

Mikey2000 (mscottscranton079@gmail.com)
2021-09-20 14:34:37

*Thread Reply:* Great thank you 😅✌️ By any chance you have the same for Samsung Email?

Clark (76clark@gmail.com)
2021-09-20 14:44:40

*Thread Reply:* Nope. Normally I do not best to talk clients out of using that app as then you are tied into just Samsung devices. If you do not want to use Outlook for all devices then I would suggest looking at Gmail or Email+ 3 as both of them support modern auth and can be applied to all android devices, not just samsung

🙏 Mikey2000
Mark Vonk (mark.vonk@dahvo.com)
2021-09-20 20:02:02

*Thread Reply:* Samsung e-mail does support modern auth and appconfig. So the config you need to apply is basically the same.

Woody (eric.woodland@trust.tc)
2021-09-20 15:27:38

Looking for a perhaps canned App Report from the API that can tell me which apps have “Install on Device” flagged

Woody (eric.woodland@trust.tc)
2021-09-20 15:34:58

*Thread Reply:* Thinking I’ll probably need to go straight to the API

Jason (jasonh@bridgeway.co.uk)
2021-09-20 17:03:31

*Thread Reply:* Yup, unless you use a third-party tool, e.g. our IronWorks solution, you’re down to rolling your own with the APIs at the moment.

👍 Woody
Jason (jasonh@bridgeway.co.uk)
2021-09-20 17:03:48

*Thread Reply:* Sorry, not ideal, I’d be the first to agree.

👍 Woody
Woody (eric.woodland@trust.tc)
2021-09-20 17:12:12

*Thread Reply:* Agree @Jason - You guys have a free trial? I might be able to sell them on it, since they’re sticking with MI Cloud for the long haul

Jason (jasonh@bridgeway.co.uk)
2021-09-20 17:15:18

*Thread Reply:* Yup, certainly. DM me for more info?

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-09-21 08:45:55

If I retire a DEP enrolled device from Core, it will not be wiped like it would be with Android DO enrollments, where there is only wipe possible, right?

Phil Hackett (phil.hackett83@gmail.com)
2021-09-21 08:48:27

*Thread Reply:* Correct. If you retire a DEP enrolled device, it will only remove the MDM profile, managed apps, configs, policies etc.

✅ NicolasR, Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-09-21 08:49:03

*Thread Reply:* Thanks for confirming ✌️

NicolasR (raison_nicolas@me.com)
2021-09-21 14:51:43

For those who are not aware, Ivanti created a new community for customers & partners called “Ivanti Innovators”. On this platform Ivanti insiders (PM and other people) might add some great content to follow.

You can register here: https://innovators.ivanti.com/join/CSSTEMEA

innovators.ivanti.com
NicolasR (raison_nicolas@me.com)
2021-09-21 14:52:41

you can earn coins to get some rewards (even Apple Watch!) 😍

👍 YAS, Woody, Jason, Govi
Woody (eric.woodland@trust.tc)
2021-09-21 18:21:29

I joined-up @NicolasR

✅ NicolasR
👍 NicolasR, Mark Vonk
Cathal Henry (cathalhenry@gmail.com)
2021-09-23 10:50:16

@Cathal Henry has joined the channel

Govi (byodmdm@gmail.com)
2021-09-23 12:10:55

MI Email+ configuration/Governance - Azure Device Compliance for iOS and Android : We want to know the How better O365 configuration for Email+ which can be controlled and validated using Microsoft Authenticator App as described in MobileIron Core - Azure Device Compliance for iOS and Android (ivanti.com)  In this article its more described about the native email configuration but EMAIL+ is missing ?. Did anyone success with the Email+ App. #ivanti_mobileiron #Email+ #m365 #compliance

NicolasR (raison_nicolas@me.com)
2021-09-23 13:52:22

Hi Govi, I’m might be wrong but I’m not sure EMail+ can support the azure compliance API for iOS/Android. For me Access can solve this use case but not the aad compliance (whiich is the same license)

Govi (byodmdm@gmail.com)
2021-09-24 01:58:47

Hi Nicolas, thanks for your response. but we don't use Access and i will check with MI internally ! @Tohsheen any suggestion from your side ?.

GeorgeU (geupham@gmail.com)
2021-09-25 02:36:11

@GeorgeU has joined the channel

Woody (eric.woodland@trust.tc)
2021-09-27 14:01:42

Anyone on NA2 having issues deleting devices as of recently?

Clark (76clark@gmail.com)
2021-09-27 14:13:24

I got the same error. Will report it to the support team

Woody (eric.woodland@trust.tc)
2021-09-27 14:16:39

Thanks @Clark! I figured it might be related to the emergency maintenance this weekend.

Henry Heres (henry@technicalfellow.nl)
2021-10-01 06:53:42

@Henry Heres has joined the channel

Kiran Patel (kiran@kiranpatel.net)
2021-10-02 15:08:58

What are creative ways everyone is ensuring on DEP enrolled devices the MobileIron app gets launched post enrollment? Looking for an option that's the easiest for the user from a UX perspective. What's working, what's not working?

Debating testing: Label to catch devices supervised and no client check in to Single App Mode it and then removing it.

Wallpaper change with instructions

SMS/Push notification, etc

Woody (eric.woodland@trust.tc)
2021-10-04 16:44:03

@Kiran Patel so you’re just wanting to make sure MobileIron GO is launched post-deployment (so it activates and the token does not expire). Right?

Kiran Patel (kiran@kiranpatel.net)
2021-10-04 16:44:16

Correct

Kiran Patel (kiran@kiranpatel.net)
2021-10-04 16:44:32

although we are hybrid and still ok Core. Should be Go soon enough though

Woody (eric.woodland@trust.tc)
2021-10-04 16:45:09

Gotcha. Temporarily changing the Background might be your best bet. Everything else they can ignore…

Mikey2000 (mscottscranton079@gmail.com)
2021-10-05 09:17:13

Partner Compliance with MobileIron Core - can we also use a different app for Azure registration or is the MS Authenticator mandatory for the complete workflow?

Mark Vonk (mark.vonk@dahvo.com)
2021-10-05 12:20:00

*Thread Reply:* It's mandatory because it Azure AD registers the device with the correct correlated Azure AD device identifier.

👍 Woody
Mikey2000 (mscottscranton079@gmail.com)
2021-10-05 12:21:44

*Thread Reply:* I see. I am not sure if you are familiar with DUO? It has also the possibility to register the device in Azure. But it would not use the right Azure AD ID?

Clark (76clark@gmail.com)
2021-10-05 13:54:33

*Thread Reply:* MobileIron is not saying you have to use Authenticator. Microsoft is forcing this. Feel free to open a ticket asking MS for a feature request to use other applications for reporting back data to Azure. Will say that MS would likely be very resistant as they want to tie you into the MS stack as heavily as possible and allowing other apps goes in the opposite direction.

👀 Woody
👍:skin_tone_2: JP Guldfeldt
Mikey2000 (mscottscranton079@gmail.com)
2021-10-05 13:55:49

*Thread Reply:* I see. Thanks for the info. 🙌

Mikey2000 (mscottscranton079@gmail.com)
2021-10-07 12:59:29

How can I deploy a configuration to a device group (like all iOS) with MobileIron Cloud? Is that not possible? I can only assign User Groups!

Steve Hayton (shayton@bridgeway.co.uk)
2021-10-07 13:04:21
Steve Hayton (shayton@bridgeway.co.uk)
2021-10-07 13:05:26

As we may have discussed before you can add a User Group to a Device Group as well

🙏 Mikey2000, mahiroux
Woody (eric.woodland@trust.tc)
2021-10-07 16:40:00

So @Mikey2000 do you have an app that you need to deploy to User Groups AND Device groups? If it is an app that truly needs to go out to specific device platforms (albeit restricted to a certain audience), you’d be best flipping it over to Device Groups and using a Device Group that is trimmed down (based on a User Group, etc).

👍 Mikey2000
mahiroux (mhyb.mk@gmail.com)
2021-10-10 19:41:25

Can someone outline the steps to enable KCD for CIFS shares on docs@work? I have already configured KCD for activesync and on premise share-point sites.Now i want to extend it to CIFS as well.What are the configuration required on CIFS server & KCD?

Woody (eric.woodland@trust.tc)
2021-10-11 16:05:46

@mahiroux - Wow, it’s been a minute since I’ve set that one up. Are you using the same Sentry with KDC setup (EAS/SharePoint) to access the CIFS shares? Going from memory… It’s mostly about creating a new entry in the Sentry config and making sure the KCD service account has been setup for del auth inside the server objects in AD. Oh, and of course opening-up FW ports to allow Sentry —> CIFS share communications. Otherwise, I think that’s it.

Steve Hayton (shayton@bridgeway.co.uk)
2021-10-11 16:45:43

perfect Woody, CIFS does KCD natively so no messing about with IIS required

💪 Woody, Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-10-12 12:14:01

Does anyone know a third party product to set signatures on iPhone mail?

Ajay Patel (ajay5675@msn.com)
2021-10-12 14:24:53

*Thread Reply:* depending on your infrastructure you can achieve this after it leaves the device. For example, we use Exclaimer which applies the signature to all our emails regardless of the device. The device signature is just saved locally whereas the exclaimer applies it in the cloud after it is sent.

🙏 Mikey2000, Woody
Woody (eric.woodland@trust.tc)
2021-10-12 15:06:57

*Thread Reply:* Digging that solution @Ajay Patel. Centralize/standardize and be done. What layer does Exclaimer plug-in to?

Ajay Patel (ajay5675@msn.com)
2021-10-12 15:12:30

*Thread Reply:* its done using a send connector, transport rule and receive connector so it can pass the email to their cloud signature solution and then back out to 365 for delivery

‼️ Justin Butts
👍 Woody
Ajay Patel (ajay5675@msn.com)
2021-10-12 15:13:02

*Thread Reply:* but also an SPF record so that your emails are not classed as junk

👍 Woody
Woody (eric.woodland@trust.tc)
2021-10-14 18:15:31

*Thread Reply:* Ah, that makes sense @Ajay Patel. So it is more of a 3rd party handler instead of an integrated tool.

Ajay Patel (ajay5675@msn.com)
2021-10-15 09:27:55

*Thread Reply:* yes i dont think Microsoft has anything out the box regarding signatures as they tend to be more client side (i.e. controlled from Outlook) whereas 3rd party products allow it to be controlled server side

👍 Woody
slackbot
2021-10-14 15:02:41

This message was deleted.

Mikey2000 (mscottscranton079@gmail.com)
2021-10-14 15:10:34

*Thread Reply:* Update - under device details I can see MDM Lost Mode Enabled is false. I was able to send a lost mode request, but if the device is offline it will not send a new status back to Core, right?

Justin Butts (justin.butts777@gmail.com)
2021-10-14 16:27:43

*Thread Reply:* is the device supervised?

Mikey2000 (mscottscranton079@gmail.com)
2021-10-14 16:28:04

*Thread Reply:* Yes

Justin Butts (justin.butts777@gmail.com)
2021-10-14 16:28:13

*Thread Reply:* when was last device check-in as it relates to you sending the lock command?

Mikey2000 (mscottscranton079@gmail.com)
2021-10-14 16:28:48

*Thread Reply:* Check-in was 2days ago. Sending the lost command was today

Justin Butts (justin.butts777@gmail.com)
2021-10-14 16:29:16

*Thread Reply:* Working as expected then? Can't get a command if it has no network or is powered down

Justin Butts (justin.butts777@gmail.com)
2021-10-14 16:29:22

*Thread Reply:* which it's likely one of those two things

Mikey2000 (mscottscranton079@gmail.com)
2021-10-14 16:29:56

*Thread Reply:* Thats what I thought. And thats why the request location is not working

Justin Butts (justin.butts777@gmail.com)
2021-10-14 16:30:07

*Thread Reply:* yarp

Mikey2000 (mscottscranton079@gmail.com)
2021-10-14 16:30:31

*Thread Reply:* Ok thx.. which kind of beats the purpose

Justin Butts (justin.butts777@gmail.com)
2021-10-14 16:41:09

*Thread Reply:* I mean

Justin Butts (justin.butts777@gmail.com)
2021-10-14 16:41:10

*Thread Reply:* lol

Justin Butts (justin.butts777@gmail.com)
2021-10-14 16:41:18

*Thread Reply:* that be how the internet works man

Mikey2000 (mscottscranton079@gmail.com)
2021-10-14 16:41:38

*Thread Reply:* Yeah sure 😃

Mikey2000 (mscottscranton079@gmail.com)
2021-10-14 16:42:04

*Thread Reply:* But it should remain flagged as lost with Apple, right?

Justin Butts (justin.butts777@gmail.com)
2021-10-14 17:34:48

*Thread Reply:* I'm not sure what you mean by with Apple

Mikey2000 (mscottscranton079@gmail.com)
2021-10-14 17:36:57

*Thread Reply:* If the device goes online again, isn't it supposed to be flagged as lost on the Apple servers so no can use it anymore. At least that's what I was told how the lost mode works

Justin Butts (justin.butts777@gmail.com)
2021-10-14 17:42:41

*Thread Reply:* I'm not aware of that having anything to do with Apple servers but I could just be ignorant to that functionality. If that device ever re-gains network access, the Lost Mode command you sent should apply pretty quick

👍 Mikey2000
Jon Dynes (jdynes@me.com)
2021-10-15 15:42:58

@Jon Dynes has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2021-10-20 12:16:41

We are in the mix of rolling out Apple Business Manager with MobileIron Core. If we factory reset an exiting device and apply a backup which is of course from a non-supervised device, and we apply the backup during the Apple setup wizards, everything should be fine, right?

JP Guldfeldt (jpguldfeldt@hotmail.com)
2021-10-22 07:47:51

*Thread Reply:* it is my experience that it works when using a backup that does not contain certificates from MDM or device identifier from Azure. Otherwise it may fail

Thomas B. (tbosboom@apple.com)
2021-10-22 15:15:06

*Thread Reply:* If that backup originates from the same device, it will inherit supervision status (unsupervised) from that backup.

Eric Bos (ericbos1@ie.ibm.com)
2021-10-20 12:23:30

I believe you need to complete the enrollment and restore the backup afterwards.

Mikey2000 (mscottscranton079@gmail.com)
2021-10-20 12:23:58

*Thread Reply:* Wouldn't that erase the supervision?

Eric Bos (ericbos1@ie.ibm.com)
2021-10-20 12:24:53

*Thread Reply:* Not sure about MI but in MaaS360 we would

Mikey2000 (mscottscranton079@gmail.com)
2021-10-20 12:25:34

*Thread Reply:* You mean you would erase the supervision or it works like that

Eric Bos (ericbos1@ie.ibm.com)
2021-10-20 12:25:51

*Thread Reply:* it works like that

Eric Bos (ericbos1@ie.ibm.com)
2021-10-20 12:27:16

*Thread Reply:* see https://www.ibm.com/support/pages/dep-ios-backup-and-restore-guide

ibm.com
👍 Woody, Thomas B.
Thomas B. (tbosboom@apple.com)
2021-10-22 15:20:49

*Thread Reply:* Nice reference @Eric Bos! Nowadays, there is also Quick Start to take into account -https://support.apple.com/en-us/HT210216 - the device-to-device data transfer piece doesn’t work for ABM enrolled devices, so a iCloud based transfer gets used. Fun addition in iOS 15 is that for new device setup, unlimited iCloud storage can be used for the transfer at no cost (for up to 21 days)

Apple Support
Thibaut Bellon (thibaut@mobinergy.com)
2021-10-20 15:57:51

@Thibaut Bellon has joined the channel

Thibaut Bellon (thibaut@mobinergy.com)
2021-10-20 15:58:17

Hi guys, how do you push scripts on MobileIron for Mac OS and Windows 10 devices ?

Steve Hayton (shayton@bridgeway.co.uk)
2021-10-20 16:19:00

Windows use Bridge and send PowerShell commands . Note you can only address the user environment. I’ve done a few, if you want to PM me what you want to achieve Ill see if I have an example of it. For Macs its AppleScript and I have not done a lot with that.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-10-21 08:52:16

Is this true that Core 11.4 will require Client Mutual Auth? That would also mean we have to migrate Apps@Work to a different port.

Justin Butts (justin.butts777@gmail.com)
2021-10-21 14:56:09

*Thread Reply:* Uhh what is this now? Do you have a link to any documentation?

Mark Vonk (mark.vonk@dahvo.com)
2021-10-21 17:23:45

*Thread Reply:* No it does not require it. It will show a banner:

Mark Vonk (mark.vonk@dahvo.com)
2021-10-21 17:23:49

*Thread Reply:* If Core is installed or updated to 11.4.0.0 release and mutual authentication has not been enabled, a red reminder banner will display in a ribbon just below the Admin portal masthead. To enable mutual authentication, go to Settings > System Settings > Security > Certificate Authentication > Client Mutual Certificate Authentication page. Once enabled, the banner does not appear again. For more information about mutual authentication, see Mutual authentication between devices and Core in the Managing Certificates and Configuring Certificate Authorities chapter of the Core Device Management Guide for your operating system.

Mikey2000 (mscottscranton079@gmail.com)
2021-10-21 17:24:41

*Thread Reply:* Thanks Mark. Exactly what I meant! 🙏

Mikey2000 (mscottscranton079@gmail.com)
2021-10-21 17:29:07

*Thread Reply:* Yet the first sentence is: Core now requires mutual authentication with managed devices for a more secure connection. 😄

Mark Vonk (mark.vonk@dahvo.com)
2021-10-21 17:29:44

*Thread Reply:* Required by putting up a red banner 😉 It does not enable it and you can choose to ignore it

👍 Mikey2000, Justin Butts, Thomas B.
Mikey2000 (mscottscranton079@gmail.com)
2021-10-21 17:30:16

*Thread Reply:* Right 😀🙌

Ala Almaet (ala@alaalmaet.com)
2021-10-22 06:55:11

*Thread Reply:* @Mikey2000 Starting with Core 11.4 Ivanti are providing a banner as a reminder to turn this functionality on, in future releases this will become mandatory to enable.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-10-22 16:19:56

Anyone else having issues with the current version of OneDrive for iOS? If we push the app via VPP the app crashes. If we install the app directly from the AppStore without VPP the app works.

YAS (esteem143@gmail.com)
2021-10-22 22:23:19

*Thread Reply:* OneDrive version 12.53.21 is out which has the fix for the app crash issue.

🙏 Mikey2000, Thomas B.
Govi (byodmdm@gmail.com)
2021-10-25 10:48:06

#mi_sentry #Sentry v9.14 -> Support for Azure AD Conditional Access rules , have anyone tried this to control the EXO configuration for Managed/Unmanaged BYOD devices through Azure Conditional access ?. thanks

mahiroux (mhyb.mk@gmail.com)
2021-10-27 12:06:15

Does anyone configured multiple EAS accounts to iOS native mail app through sentry.I am sending two exchange progfiles to same device however only the primary one is getting applied and the second config shows pending.Any help will be much appreciated.

Woody (eric.woodland@trust.tc)
2021-10-27 15:53:16

Oh wow @mahiroux - I think there was a hack to make this work many moons ago. I’m checking my notes to see if I’ve got anything on it

mahiroux (mhyb.mk@gmail.com)
2021-10-27 16:13:58

@Woody Thats wonderful.We are desperately looking for a hack to make this working.

Woody (eric.woodland@trust.tc)
2021-10-28 16:20:37

*Thread Reply:* @mahiroux Sorry, just getting back to this. Yesterday was pretty crazy

Jason Bayton (jason@bayton.org)
2021-10-27 18:19:40

Looks like the MobileIron brand is going 😞

😭 Woody, Ala Almaet, Jason, Mikey2000
Matt Dermody (jmdermody@gmail.com)
2021-10-27 18:25:09

*Thread Reply:* Any insights into whether the EMMs going down the API route will be abandoning custom DPC?

Matt Dermody (jmdermody@gmail.com)
2021-10-27 18:25:34

*Thread Reply:* If so, I’m quitting 😂

Jason Bayton (jason@bayton.org)
2021-10-27 18:26:36

*Thread Reply:* Nothing explicit but this is implied - AMAPI isn't giving up the DPC they ship with, and only one DO on-device. I expect they'll bring a bit more power to companion apps to accommodate missing features in AMAPI today

👍 Matt Dermody, Martin Hodgson
Woody (eric.woodland@trust.tc)
2021-10-27 21:19:42

*Thread Reply:* Nothing says Mobile/Endpoint Management like MobileIr… er Ivanti

Woody (eric.woodland@trust.tc)
2021-10-27 21:35:47

*Thread Reply:* I feel like it’s going to be an AirWatch/WS1 thing… where it’s formally called Workspace ONE UEM but everyone still affectionately refers to it as AW

👆 Matt Dermody
Woody (eric.woodland@trust.tc)
2021-10-27 21:36:12

*Thread Reply:* Because it rolls off the tongue so much easier

Jason Bayton (jason@bayton.org)
2021-10-27 22:02:55

*Thread Reply:* It's a far cooler name. It'll be MobileIron whenever I talk about it forever more no matter how Ivanti try to erase it 😛

💪 Woody
Yth (enis_1990_@hotmail.com)
2021-11-01 18:23:06

Is it possible to disable MAC address randomization for Android on MI Core?

Ala Almaet (ala@alaalmaet.com)
2021-11-01 22:34:52

*Thread Reply:* @Yth This is coming in a future H1 2022 release.

👍 Woody, Yth
Tohsheen (tbazaz@mobileiron.com)
2021-11-05 13:13:50

*Thread Reply:* You can't disable it

Mikey2000 (mscottscranton079@gmail.com)
2021-11-02 17:05:12

We need to migrate Core and Sentry to a new datacenter (new IP addresses, FQDN stays the same) Is it wise (or even supported) to migrate the VMs with Veeam Replication? Or fresh installation and restore?

Steve Hayton (shayton@bridgeway.co.uk)
2021-11-02 17:10:46

I would build new and restore- that way you have a fixed remediation point in the event of error. Not saying you cannot use Veem just a belt and braces approach. Building a new chassis can also flush out any hidden issues with multiple upgrades (done it more than a few times over the years)

👍 Mikey2000
Woody (eric.woodland@trust.tc)
2021-11-02 17:32:38

@Mikey2000 you can use the built-in HA tool for Core that will transfer everything from Host A to Host B.

👍 Mikey2000
Woody (eric.woodland@trust.tc)
2021-11-02 17:33:29

Though what @Steve Hayton was alluding to is completely fine

Martin Hodgson (martinh@bridgeway.co.uk)
2021-11-02 17:36:53

Recommend as above. A few years back, had a customer use Veeam for migration only to to find network interfaces were down and not resolved with reboots. Dev-shell to reset the interfaces

Steve Hayton (shayton@bridgeway.co.uk)
2021-11-02 17:37:43

I prefer a rebuild over HA as 1. you don’t need professional services and 2. more importantly you know exactly where the cut off point of snapshot is so you can define the change window

👍 Martin Hodgson, Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-11-02 17:53:02

Thanks guys. Sentry should be easy. Core needs some preparation, but I used to have a task list what is important

Steve Hayton (shayton@bridgeway.co.uk)
2021-11-02 17:54:47

Sentrys are a doddle , spin them up with the same name and refresh the config under services after you have changed DNS

Steve Hayton (shayton@bridgeway.co.uk)
2021-11-02 17:56:51

Core start to finish (if the firewall rules are set correctly in new datacentre) ive done from bare iso in under 3 hours but its not something to rush

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-11-08 13:47:58

Help@Work for iOS on MI Core - is anyone using it? Is there still an Apple TV and Bonjour required or can we use also Teamviewer like we can on Cloud?

Steve Hayton (shayton@bridgeway.co.uk)
2021-11-08 16:37:18

its Teamviewer

Steve Hayton (shayton@bridgeway.co.uk)
2021-11-08 16:37:30

and yes to having used it and having customers who use it

👍 Woody, Mikey2000
Woody (eric.woodland@trust.tc)
2021-11-09 16:06:28

Does MobileIron offer anything Multi-User on Android Enterprise like the WS1 Launcher? I’m not seeing anything besides Lockdown & Kiosk, which mostly indicates a custom Kiosk (launcher?) but no mention of multi-user or sign-in/sign-out functionality.

Almar Diehl (almar.diehl@blaud.com)
2021-11-09 16:08:11

*Thread Reply:* Sure! Android Kiosk gives you multi-user sign-in/out.

👍 Woody
Woody (eric.woodland@trust.tc)
2021-11-09 17:14:41

*Thread Reply:* Got it @Almar Diehl - I was checking the configs but they don’t really call it out in there. Just says Kiosk and launcher to present the apps you want present, etc

Mikey2000 (mscottscranton079@gmail.com)
2021-11-10 14:28:18

Anyone else having problems enrolling iOS into MI Cloud? Error message after trying to install the profile: no connection to server Wifi or 3G the same

Mikey2000 (mscottscranton079@gmail.com)
2021-11-29 10:57:13

If we integrate AAD with MI Cloud, users from Azure will be imported into Cloud and therefore users are able to enroll with their Azure credentials right?

Mikey2000 (mscottscranton079@gmail.com)
2021-11-29 14:51:02

*Thread Reply:* Great thanks. I used this guide, but the sync is failing (AAD sync unsuccessful)

Clark (76clark@gmail.com)
2021-11-29 14:59:06

*Thread Reply:* Every time I have seen it not work was because there was a setting missed during the configuration. Recommend going through the setup with a fine tooth comb.

Mikey2000 (mscottscranton079@gmail.com)
2021-11-29 15:12:42

*Thread Reply:* I have gone over it with my colleagues - everthing was done exactly like described. Maybe a missing license on Azure? Are there any helpful logs?

Clark (76clark@gmail.com)
2021-11-29 15:53:51

*Thread Reply:* Never heard of anyone accusing Azure of having helpful logs 😆 In all honestly I am not sure what logs you would need to review on the Azure side. You are not trying to sign into Azure using an account that is federated or requires MFA are you? Confirm the account works by signing into portal.azure.com and is not getting prompted to update a password and ensure you are only using a onmicrosoft.com admin account

🤣 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2021-11-29 16:13:10

*Thread Reply:* Right, no my Azure Global admin that I used to accept the permissions in Cloud is non federated and non MFA and a onmicrosoft.com account.

Mikey2000 (mscottscranton079@gmail.com)
2021-11-29 18:15:26

*Thread Reply:* I guess this could be the issue: „Using Azure AD as the IDP requires a Microsoft Azure AD Premium subscription.“

Mikey2000 (mscottscranton079@gmail.com)
2021-11-30 17:53:40

*Thread Reply:* Found the issue - the documentation is missing one crucial point - granting admin consent in the MobileIron Azure Integration enterprise app!

Mikey2000 (mscottscranton079@gmail.com)
2021-12-03 15:15:31

I am kind of confused with this error message with registration of Android devices on Core. Device has a label with an Android Enterprise work profile config prior to registration , but we still receive this error with some devices. Not all of them. Has there been a change with new Core versions and AE enrollment? Sure this is DA mode, but we have attached an AE config anyway like we always did.

Almar Diehl (almar.diehl@blaud.com)
2021-12-03 16:10:14

*Thread Reply:* We had the same after upgrading Core to 11.3. Fixed it by applying the label Alle Android Devices to the AE config. All labels we had applied before had a more complex filter that seemed to apply just after enrollment.

Mikey2000 (mscottscranton079@gmail.com)
2021-12-03 16:28:12

*Thread Reply:* This is strange. Gotta try it - thanks Almar

Mikey2000 (mscottscranton079@gmail.com)
2021-12-03 16:38:27

*Thread Reply:* But how would you solve that with different enrollments like COBO and COPE?

mahiroux (mhyb.mk@gmail.com)
2021-12-07 18:29:13

Users are unable to copy larger(1mb and above) file from Docs@Work to CIFS network folder.I see http 408 Reason: File copy failed due to socket timeout.Have anyone faced similar issue? Is there a known fix for this issue?

Mikey2000 (mscottscranton079@gmail.com)
2021-12-07 18:45:17

Anyone familiar with this error on a AppTunnel Sentry - looks to me that there is an issue with the CRL:

„UNKNOWN_CRL(The CRL entry was not found in the cache.)“

Ladislav Blazek (ladislav@lblazek.cz)
2021-12-07 18:50:35

Is the CRL distribution point reachable by Sentry? Sentry should cache it locally then for the period of CRL lifetime. So also check if CRL is correctly refreshed = not expired

Florent N. (Florent.NOSARI@econocom.com)
2021-12-09 16:05:47

Hello folks, is there any plan to support Nutanix for Core/Sentry?

Ala Almaet (ala@alaalmaet.com)
2021-12-10 01:13:12

*Thread Reply:* Hi @Florent N. there are currently no plans to support Nutanix AHV for Core/Sentry. Currently support platforms are VMware and Hyper-V. IF you are running Nutanix as an all-in-one hyper converged platform with VMware ontop then no issues with that as its still VMware

Nick (nickdiaz@gmail.com)
2021-12-10 13:51:44

Curious how everyone using Email+ is dealing with TextID of managed contacts since Contact Export is broken (it depends on the removal of unmanaged access to managed files).

Paul Conaty (pconaty@cwsi.ie)
2021-12-13 09:45:41

HI all, I'm sure you are aware that on-prem versions of MobileIron Core and Sentry are vulnerable to log4j. hotfix available as of this morning

👍 Phil Hackett, Woody, Johannes Harbs, Govi
Nick (nickdiaz@gmail.com)
2021-12-15 13:57:45

Relavent to that, I think Ivanti’s patch correctly removes the JNDI class instead of just upgrading Log4J to 2.15.0, which was the original mitigation. But other systems in your environment might not have followed the same path: https://nvd.nist.gov/vuln/detail/CVE-2021-45046

👍 Woody, Phil Hackett, Justin Butts
Mikey2000 (mscottscranton079@gmail.com)
2021-12-22 18:27:38

Anyone using help@work on Core for iOS? I am not able to connect to the device. Anything special needed on the device besides the QS app and that screen recording is set to Teamviewer? Android works though. Only iOS will not connect.

Peuge (peuge.benjamin@gmail.com)
2022-01-04 19:53:08

*Thread Reply:* iOS can be a bit tricky. You need the app installed first. And running

Mikey2000 (mscottscranton079@gmail.com)
2022-01-04 19:55:07

*Thread Reply:* You mean start QS on the device before initiating remote support on Core?

Peuge (peuge.benjamin@gmail.com)
2022-01-04 19:56:57

*Thread Reply:* Yes. Then try it. Oddly ios is not friendly to qs

Mikey2000 (mscottscranton079@gmail.com)
2022-01-04 19:57:48

*Thread Reply:* And the user must also activate screen sharing for teamviewer (Notification Center) right?

Peuge (peuge.benjamin@gmail.com)
2022-01-04 20:01:30

*Thread Reply:* Yes, it's all about permissions

mahiroux (mhyb.mk@gmail.com)
2022-01-05 08:26:40

Hi,couple of users are using Xiaomi (Mode Poco X3 GT) and work apps shows paused when users try to open any attachments from Email+.How to fix this issue?

Jason Bayton (jason@bayton.org)
2022-01-07 20:19:33

*Thread Reply:* You'll need to raise this with mobileiron. Capture a bug report after replicating it and they can escalate to the OEM.

Woody (eric.woodland@trust.tc)
2022-01-11 16:52:47

Anyone seeing Cloud acting up?

Clark (76clark@gmail.com)
2022-01-11 17:12:35

Believe I just saw some reports of an issue and engineering is looking into it.

Woody (eric.woodland@trust.tc)
2022-01-11 17:14:21

@Clark I think it had a hiccup

Woody (eric.woodland@trust.tc)
2022-01-11 17:14:35

It seems to be back, from a login/SSO perspective

Mikey2000 (mscottscranton079@gmail.com)
2022-01-26 07:08:02

Am I wrong with this? With Android Enterprise there is no automatic triggering of MobileIron Tunnel like there is with iOS, only Always-On.

Steve Hayton (shayton@bridgeway.co.uk)
2022-01-26 09:17:30

*Thread Reply:* Hi , you can set allowed list to have the “per app” experience if that is what you are referring to? or is it related to restricted system settings as per here: https://support.google.com/work/android/answer/9213914?hl=en

support.google.com
Mikey2000 (mscottscranton079@gmail.com)
2022-01-26 10:56:32

*Thread Reply:* The question was rather: how can MobileIron Tunnel on Android Enterprise devices be triggered? On iOS you can trigger Tunnel when opening an app. As far as I know this is not possible with Android.

Mikey2000 (mscottscranton079@gmail.com)
2022-01-26 10:57:14

*Thread Reply:* For instance: opening Chrome will not trigger MobileIron Tunnel even Chrome is in the allowed list within Tunnel

Clark (76clark@gmail.com)
2022-01-26 13:35:28

*Thread Reply:* it will be an always running VPN. We are limited to the limitation of the OS.

👍 Mikey2000
Jason Bayton (jason@bayton.org)
2022-01-28 12:59:54

*Thread Reply:* ^ but you can still define per-app VPN split tunnelling and the usage of always on VPN isn't a colossal battery drain if it's not routing traffic

Mikey2000 (mscottscranton079@gmail.com)
2022-01-27 12:37:58

SCEP on Core - Error issuing a test certificate - could not obtain certificate from CA - which log file on Core should contain more details? Certactivity.log?

Ala Almaet (ala@alaalmaet.com)
2022-01-27 21:19:19

*Thread Reply:* @Mikey2000 Enable Trace logging and look at the MIFS file

👍 Mikey2000
mahiroux (mhyb.mk@gmail.com)
2022-01-31 16:25:15

I have a new user and he brought a new Samsung a 22 device.He is entering his email ID to register his device to MI core work profile mode using M@work app.Bit application is closing automatically after the user enter his email ID and tape register(screen shows we are trying to find you). When the user installed test DPC app,everything went smoothly and work profile was successfully created.Any assistance to troubleshoot this issue is highly appreciated.

Markus Speicher (mspeicher@mobileiron.com)
2022-02-01 10:36:56

*Thread Reply:* @mahiroux Did you register your domain with MobileIron to find your core? As alternative you could add the URL manually then authenticate on Core to enroll. Make sure that the Android Enterprise Workprofile Config gets applied on the device.

mahiroux (mhyb.mk@gmail.com)
2022-02-01 12:15:43

*Thread Reply:* Opened a case with Ivanti and this issue is currently noticed in following models as well.Ivanti has opened a vendor ticket with Samsung.

  SM- A105F

• SM-A110F • SM-A520F • SM-A720F

mahiroux (mhyb.mk@gmail.com)
2022-02-02 06:19:17

*Thread Reply:* This issue has been identified as a bug and the fix is expected in m@w client 11.6

Raul (rnadal@mobileiron.com)
2022-02-02 18:05:59

*Thread Reply:* Did you try downloading the previous version of M@W using this URL?

https://support.mobileiron.com/android/mobileiron-MIClient-11.4.0.1.apk

mahiroux (mhyb.mk@gmail.com)
2022-02-03 01:41:28

*Thread Reply:* Tried 11.4 and 11.3 but the result was same.Later Ivanti confirmed that issue affects previous versions as well.

mahiroux (mhyb.mk@gmail.com)
2022-02-05 10:47:07

*Thread Reply:* Issue is fixed in M@W 11.5.1 which in currently in Beta.

Mikey2000 (mscottscranton079@gmail.com)
2022-02-03 11:07:47

Has anyone configured Outlook with Kerberos Constrained Delegation on Core with Exchange On-Premise?

Stephan Giese (stephan.giese@sva.de)
2022-02-04 10:45:19

@Stephan Giese has joined the channel

🙌 Stephan Giese
Mikey2000 (mscottscranton079@gmail.com)
2022-02-07 16:54:28

Is MobileIron FilePass still alive?

Ala Almaet (ala@alaalmaet.com)
2022-02-07 20:39:18

*Thread Reply:* @Mikey2000 Yes sure is

Mikey2000 (mscottscranton079@gmail.com)
2022-02-07 20:39:44

*Thread Reply:* But there is no support for iOS 15

Mikey2000 (mscottscranton079@gmail.com)
2022-02-07 20:40:20

*Thread Reply:*

Mikey2000 (mscottscranton079@gmail.com)
2022-02-07 21:10:35

MobileIron Access only for one Relying Party Trust - does anyone know how this has to be done on the ADFS? I am not an expert on ADFS, but I am thinking: Set-AdfsRelyingPartyWebTheme -TargetRelyingPartyName "Office 365" -SourceWebThemeName "MobileIron Access"

mahiroux (mhyb.mk@gmail.com)
2022-02-09 09:16:20

We are planning to migrate from on prem exchange to exchange online and we have already installed a new sentry to test the exchange online.We are currently using KCD for active-sync,how do we deliver password-less email setup for users once we move to exchange online?We are not using MI access and we are using native mail(iOS) and Email+(Android AE)

Martin (mto@mobileiron.com)
2022-02-10 10:52:22

*Thread Reply:* If you are pushing EOL traffic through the sentry then short answer is you can’t. Device Authn to Sentry will be cert based and then from Sentry to EOL will be just a passthru

For passwordless you will need to setup CBA for EOL and have traffic direct to EOL rather than the sentry

👍 Justin Butts
mahiroux (mhyb.mk@gmail.com)
2022-02-10 13:38:00

@Martin Any drawbacks if we go with CBA+ Oauth approach? iOS native mail is supported?

Steve Hayton (shayton@bridgeway.co.uk)
2022-02-10 13:52:17

*Thread Reply:* iOS native email supports CBA, you no longer have the Sentry server providing compliance checking, instead use Partner Device Compliance to get your MI Compliance status into Endpoint Manager to get the required control should a device fall out of compliance

mahiroux (mhyb.mk@gmail.com)
2022-02-10 15:44:21

*Thread Reply:* Thanks Steve and Martin for the valuable comments.Will this set up work if O365 have MFA enabled?

Steve Hayton (shayton@bridgeway.co.uk)
2022-02-10 15:48:39

*Thread Reply:* yes you have to install authenticator on the phone

Steve Hayton (shayton@bridgeway.co.uk)
2022-02-10 15:49:15

*Thread Reply:* Mandatory for partner compliance (ie authenticator on that device not another phone you happen to have)

mahiroux (mhyb.mk@gmail.com)
2022-02-11 03:32:16

*Thread Reply:* Thank you @Steve Hayton, CBA+Oauth with partner compliance works android AE Email+?

Steve Hayton (shayton@bridgeway.co.uk)
2022-02-11 08:43:05

*Thread Reply:* yes it does

mahiroux (mhyb.mk@gmail.com)
2022-02-14 12:07:18

*Thread Reply:* We use ADFS.Can we still use CBA+Auth or do we require access for email sync to work?

Mizid (azull_mahmoud@hotmail.com)
2022-02-17 09:30:00

@Mizid has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2022-02-18 10:14:45

Can anyone tell me how to change the default gateway on the Sentry via CLI?

Almar Diehl (almar.diehl@blaud.com)
2022-02-18 10:55:04

ip route 0.0.0.0 0.0.0.0 [ip-address of gateway]

Rakesh Ramraj (rakeshkumar2191@gmail.com)
2022-02-19 19:56:11

@Rakesh Ramraj has joined the channel

mahiroux (mhyb.mk@gmail.com)
2022-03-02 05:10:20

We are planning to migrate from Microsft On prem to cloud hybrid infrastructure which include exchange,sharepoint,powerbi etc.We would like to keep Mobileiron as MDM but looking the possibility of pushing microsoft app such as outlook or Onedrive with intune MAM policy.Appreciate any suggestions or recommendations in this regard.

Ala Almaet (ala@alaalmaet.com)
2022-03-02 05:21:11

*Thread Reply:* @mahiroux this KB article should assist with intune MAM policies through MI https://forums.ivanti.com/s/article/MobileIron-Core-Office-365-Mobile-App-Protection-Graph-API-7265

mahiroux (mhyb.mk@gmail.com)
2022-03-02 06:00:59

*Thread Reply:* Why do we need graph API,cant we push the MAM policy directly from intune?

Ala Almaet (ala@alaalmaet.com)
2022-03-02 06:25:53

*Thread Reply:* Why manage them from 2 consoles when you can create and deploy them from MI Core/Cloud to O365 apps and also view the status/reporting for devices from the one console?

mahiroux (mhyb.mk@gmail.com)
2022-03-02 06:41:20

*Thread Reply:* Is there any limitations if we manage Microsoft apps using graph API over directly using Intune MAM policies.Do we have all the intune MaM policies available with graph API? Sorry for being naive as i don't have much knowledge intune and how it works.

Ala Almaet (ala@alaalmaet.com)
2022-03-02 06:43:36

*Thread Reply:* You get all the Intune MAM policies available to you when you setup MS O365 Graph API

Justin Butts (justin.butts777@gmail.com)
2022-03-02 21:04:38

*Thread Reply:* You do it with Graph API

mahiroux (mhyb.mk@gmail.com)
2022-03-06 07:04:05

In the Azure app registration API Permission page(For Graph API),i see warning banner for Mobileiron which states that ‘This application is using Azure AD graph API,which is on deprecation path….’ Any action required from ourside or this is required to be addressed by Mobileiron?

Mikey2000 (mscottscranton079@gmail.com)
2022-03-09 16:38:28

Anyone using Temporay Access Pass for enrollment? The admin has to create the TAP. Is there an automatic process that the generated TAP will be submitted to the users or is this a manual process by the admin?

Christian Andrésen (christian.andresen@techstep.se)
2022-03-10 13:33:55

@Christian Andrésen has joined the channel

Max Ågren (max.agren@techstep.se)
2022-03-16 11:04:14

@Max Ågren has joined the channel

Govi (byodmdm@gmail.com)
2022-03-17 04:40:14

Hi, need help : Ms-Outlook App for iOS can get the full list of Appconfig to creat .Plist for allowing/restrictions of certain features? Via MobileIron core.

Clark (76clark@gmail.com)
2022-03-17 12:37:42

Think this is what you are looking for https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outloo[…]ook-for-ios-and-android-configuration-with-microsoft-intune

docs.microsoft.com
Mikey2000 (mscottscranton079@gmail.com)
2022-03-17 13:32:53

Is there a way to access System Manager of Sentry if all known accounts are not working? Also the enable secret is not working. Tried to add a new user via VMware console. I am thinking new installation of Sentry.

Steve Hayton (shayton@bridgeway.co.uk)
2022-03-17 13:35:30

if you have spent that much time trying to get in Id build a new Sentry on a temp IP address and configure the system manager fully, shut down the old one via Vmware then put the proper IP on the new one. Save and reboot ot then repush profile from the console. Minimal downtime

Mikey2000 (mscottscranton079@gmail.com)
2022-03-17 13:57:13

*Thread Reply:* You a right. Looks like we have the same issue with Core MICS. We are able to login with the local admin account within the Admin Portal, but no the System Manager. This is weird.

Steve Hayton (shayton@bridgeway.co.uk)
2022-03-17 14:01:22

*Thread Reply:* the passwords are not synced past the first setup, Admin and System thereafter become different accounts so the password changes are independent

Steve Hayton (shayton@bridgeway.co.uk)
2022-03-17 14:02:14

*Thread Reply:* do you have the enable password for Core?

Mikey2000 (mscottscranton079@gmail.com)
2022-03-17 14:02:48

*Thread Reply:* We have it.. but its not working. Nobody changed it.

Mikey2000 (mscottscranton079@gmail.com)
2022-03-17 14:04:41

*Thread Reply:* We used the account which was setup during installation

Steve Hayton (shayton@bridgeway.co.uk)
2022-03-17 14:08:10

*Thread Reply:* raise a support case on the Core, you need to get back into it. had you applied all the log4j patches?

Mikey2000 (mscottscranton079@gmail.com)
2022-03-17 14:08:36

*Thread Reply:* I guess not on all systems 😀

Steve Hayton (shayton@bridgeway.co.uk)
2022-03-17 14:09:05

*Thread Reply:* ok, when you get back into it (Core) do a chassis swap ASAP

Mikey2000 (mscottscranton079@gmail.com)
2022-03-17 14:14:39

*Thread Reply:* How would I do that?

Steve Hayton (shayton@bridgeway.co.uk)
2022-03-17 14:28:23

*Thread Reply:* get yourself back into the Core then tag me here and we can discuss in direct chat

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2022-03-17 14:28:52

*Thread Reply:* Thanks I will

Mikey2000 (mscottscranton079@gmail.com)
2022-03-17 13:58:51

If we have enabled app auto update for VPP apps on MobileIron Core, is there a schedule how this app updates are recognized by the devices?

Justin Butts (justin.butts777@gmail.com)
2022-03-17 14:33:10

*Thread Reply:* I always thought it was 24h after app update is available in public app store

Mikey2000 (mscottscranton079@gmail.com)
2022-03-21 09:27:08

Partner Compliane problem on iOS devices. Azure Client Status Code on Core says „Interaction Required“, but within M@W the integration of M365 Access has a ✅. The compliance status in Azure is N/A. The user has a Intune license. Does anyone know whats missing?

ZL (mobilepros@zolik.co.uk)
2022-03-29 14:24:51

@ZL has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2022-03-30 12:15:08

Partner Compliance with Azure - is there a way to trigger an Azure Monitoring Alert if the partner status has „connection lost“?

Clark (76clark@gmail.com)
2022-03-31 14:04:34

*Thread Reply:* nothing from within MI. You may want to check with MS to see if they have any alerting

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2022-04-13 20:41:15

Where did the button for iOS software updates go in Core 11.5? It is not in the actions menu anymore.

Yth (enis_1990_@hotmail.com)
2022-04-14 09:03:59

*Thread Reply:* I think this feature got removed.

Mikey2000 (mscottscranton079@gmail.com)
2022-04-14 09:07:51

*Thread Reply:* Wtf.. really?

Yth (enis_1990_@hotmail.com)
2022-04-14 09:21:33

*Thread Reply:* From 11.5

Mikey2000 (mscottscranton079@gmail.com)
2022-04-14 09:51:56

*Thread Reply:* Thanks 🙏

Justin Butts (justin.butts777@gmail.com)
2022-04-15 14:21:56

*Thread Reply:* why in the world was this removed?

Mikey2000 (mscottscranton079@gmail.com)
2022-04-15 14:23:37

*Thread Reply:* Good question..

Justin Butts (justin.butts777@gmail.com)
2022-04-19 21:08:02

"Clicking Save will re-push profiles to all matching devices even if no change to the configuration was made." I can't remember what the actual end-user interaction is here for the life of me and can't easily test this - does this cause the user to have to re-install the profile or is it just a notification that a new profile has been installed?

Justin Butts (justin.butts777@gmail.com)
2022-04-19 21:08:22
Clark (76clark@gmail.com)
2022-04-19 21:22:39

the profiles will push down to the device but if there is an impact depends on the config. If it is exchange a user may need to reauthenticate, if it is a privacy policy they will need to click OK acknowledging the change, or if the change is something that requires a user interaction such as changing the password length from 6 to 8. Beyond that there should not be a notification or impact to users

👍 Justin Butts
:upvote: Govi
Justin Butts (justin.butts777@gmail.com)
2022-04-20 01:28:38

*Thread Reply:* Great info! Thank you!

Rob B (robtb1990@gmail.com)
2022-04-26 21:03:02

@Rob B has joined the channel

Rob B (robtb1990@gmail.com)
2022-04-27 18:52:53

What is the general consensus regarding the MobileIron Core to Cloud Migration Tool? Is it normally reliable? Having some weird results moving Android devices over and couldn't tell if that's just to be expected or if something is configured incorrectly.

Woody (eric.woodland@trust.tc)
2022-04-29 03:14:24

If only they had left the product name alone… #MICore

🤦‍♂️ Matt Dermody, Sherman Chen, Mikey2000
😂 Sherman Chen
👍 Govi
:face_palm: Phil Hackett
Mikey2000 (mscottscranton079@gmail.com)
2022-05-11 17:17:50

Help@Work via Core (EPMwhocares).. Is it possible that 2 admins connect to the same device via Core actions menu?

Clark (76clark@gmail.com)
2022-05-11 17:26:40

*Thread Reply:* Does Teamview allow to separate connections to the same device? If Teamviewer allows it, I would see no issues from the Core side

Mikey2000 (mscottscranton079@gmail.com)
2022-05-11 17:31:34

*Thread Reply:* Good question. Not sure but I believe I have seen that. Gotta test this

Mikey2000 (mscottscranton079@gmail.com)
2022-05-12 09:47:51

*Thread Reply:* Update: You can only connect once to a device. A second session is not allowed - TeamViewer message: already connected..

Peuge (peuge.benjamin@gmail.com)
2022-05-20 15:58:17

Hey guys. What have people been seeing with this change from AAD user source to AAD User provisioning process

Woody (eric.woodland@trust.tc)
2022-05-20 20:45:49

*Thread Reply:* @Peuge did MI build an app in AAD that is handling user lifecycle (vs just providing a feed of users/groups)?

Peuge (peuge.benjamin@gmail.com)
2022-05-20 21:20:48

*Thread Reply:* It will manage the life cycle

Peuge (peuge.benjamin@gmail.com)
2022-05-20 21:20:54

*Thread Reply:* @Woody

👍 Woody
Clark (76clark@gmail.com)
2022-05-24 18:44:05

Have you assigned the enterprise app to a user or group to sync down to Cloud? Unlike the old method, it does not dump your entire AAD into Cloud. You have to pick what to sync. Nested groups are not supported either. That is a MS limitation, not a MI one.

👍 Woody, Justin Butts
Justin Butts (justin.butts777@gmail.com)
2022-05-26 19:15:06

*Thread Reply:* all good now!

Justin Butts (justin.butts777@gmail.com)
2022-06-03 23:21:42

*Thread Reply:* So we assigned the app to all users and mI cloud is absolutely not pulling in all users

Justin Butts (justin.butts777@gmail.com)
2022-06-03 23:37:47

*Thread Reply:* seeing 82 I think in AAD, 78 in MI Cloud, users populated in the Users tab look okay, but then there is another discrepancy with MI Cloud's All Users group which only contains 57 users and is requiring me to one-by-one add more users so they can actually enroll and not get hit with invalid creds

Clark (76clark@gmail.com)
2022-06-03 23:38:34

*Thread Reply:* Are any of the users in nested groups as MS does not support that. Also, check as I believe there will be an error log on Azure it refuses to sync users. Could give you a clue as to why it is not syncing everyone.

Justin Butts (justin.butts777@gmail.com)
2022-06-03 23:40:47

*Thread Reply:* oooh wait so even if the ent app is assigned globally to all users, if a particular user resides in a nested group, they won't get auto-imported?

Justin Butts (justin.butts777@gmail.com)
2022-06-03 23:41:06

*Thread Reply:* That could be what I'm seeing

Peuge (peuge.benjamin@gmail.com)
2022-06-03 16:09:27

Has anyone experienced slowness in MICloud and it being a bit glitchy

Justin Butts (justin.butts777@gmail.com)
2022-06-03 22:51:12

yes

Justin Butts (justin.butts777@gmail.com)
2022-06-03 22:51:13

for the past week

Justin Butts (justin.butts777@gmail.com)
2022-06-03 22:51:55

having issues with AD auth over DEP Enrollment - manual enrollments AD auth works fine - thoughts?

Justin Butts (justin.butts777@gmail.com)
2022-06-03 22:52:56

"You're credentials are either invalid or wrong"

Arttu (arttu.huhtiniemi@miradore.com)
2022-06-04 14:34:28

@Arttu has joined the channel

Woody (eric.woodland@trust.tc)
2022-06-14 03:22:37

@Peuge @Justin Butts it was still slow today. Same for you guys?

👍 Rob B
Woody (eric.woodland@trust.tc)
2022-06-15 16:59:20

🤮

🤮 Rob B, Mikey2000
Clark (76clark@gmail.com)
2022-06-15 23:04:31

Quite the mouthful of a name now

😆 Woody, Mikey2000
Woody (eric.woodland@trust.tc)
2022-06-16 13:33:14

*Thread Reply:* @Clark Dude — Right?

Rob B (robtb1990@gmail.com)
2022-06-16 19:42:17

*Thread Reply:* is the re-brand causing the outage I am having?

Clark (76clark@gmail.com)
2022-06-16 19:45:49

*Thread Reply:* No, that rebranding has been in place for a few weeks now depending on the location of your tenant. Are you on na2 by chance? I am seeing some odd issues in my lab on na2. I would suggest opening a support case on any outage you are seeing

Rob B (robtb1990@gmail.com)
2022-06-16 19:46:39

*Thread Reply:* Yea it was tongue in cheek haha. But yes I am experiencing issues on na2

Rob B (robtb1990@gmail.com)
2022-06-16 20:07:55

*Thread Reply:* @Clark Support says its an na2 outage. As of 5 minutes ago no eta and no idea what caused it

Clark (76clark@gmail.com)
2022-06-16 20:38:43

*Thread Reply:* Per the status page a fix has been put in place

👍 Woody, Rob B
Justin Butts (justin.butts777@gmail.com)
2022-06-17 00:14:13

First I've seen this from any MDM - anyone have any thoughts?

Justin Butts (justin.butts777@gmail.com)
2022-06-17 00:14:17
Justin Butts (justin.butts777@gmail.com)
2022-06-17 00:14:49

user trying to update a VPP'd app in app store web clip

Justin Butts (justin.butts777@gmail.com)
2022-06-17 00:15:07

^Cloud

Clark (76clark@gmail.com)
2022-06-17 03:22:40

Switch to device based tokens. Looks like it is set to user based right now

👍 Justin Butts, Woody
Mark Vonk (mark.vonk@dahvo.com)
2022-06-17 13:19:22

*Thread Reply:* Indeed, this is the notification you get when the VPP licenses are set to user based.

Justin Butts (justin.butts777@gmail.com)
2022-06-17 15:01:00

*Thread Reply:* weird - could have sworn they were all device based - thanks!

Michael (michaelcadogan26@gmail.com)
2022-06-24 06:34:28

Has anyone got experience with load balancing AWS Sentries? I have questions in particular around: • What relationship the hostname has given that the AWS install guides recommends “you use the Public DNS name provided by AWS”. This hostname goes against the Sentry records in Cloud, however the hostname isn’t static. I’m ultimately not wanting to set static public IPs for my Sentries so can the hostname just be set to anything random as an identifier? • How to perform the health checks using for example an AWS NLB. Given I’ll be using certificates it seems like Sentry is just outright denying any HTTPS/TCP requests as all my health checks have been failing. The doco vaguely suggests doing a TCP_ALL / PING health check but I don’t know if that’s a limitation within AWS NLBs. Given Ivanti support AWS based Sentries I’m left with a lot of questions around how to configure the load balancing of them.

Nick Knight (arpknight@gmail.com)
2022-06-25 11:09:03

@Nick Knight has joined the channel

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2022-07-02 20:26:26

Any way to setup access to a 2nd calendar (Exchange on premise) for Samsung A13 using Android 12.0 (they are using email version 3.0 from Mobileiron University not seeing it as possible)

mahiroux (mhyb.mk@gmail.com)
2022-07-06 13:00:24

*Thread Reply:* It is possible.You may refer the Email+ Documentation.

mahiroux (mhyb.mk@gmail.com)
2022-07-07 10:36:20

*Thread Reply:*

Bill Fitzgerald (bfitzgerald@cwsi.ie)
2022-07-02 20:26:48

Meant to say they are using Core with no Sentry for above query

mahiroux (mhyb.mk@gmail.com)
2022-07-05 09:03:43

Is it possible to use Docs@work alone with Intune as MDM? Is there such licensing model available?

Woody (eric.woodland@trust.tc)
2022-07-05 18:15:04

*Thread Reply:* That’s a great question. Technically you could deploy it as a managed app. If perhaps the licensing/activation can be pushed as part of the payload, I don’t see why not. No idea what MI/Ivanti would say though.

Ala Almaet (ala@alaalmaet.com)
2022-07-05 22:43:06

*Thread Reply:* There is no licensing model to cover this type of setup. Docs@Work is designed as part of AppConnect and uses Mobile@Work for the authorisation

👍 Jason
Woody (eric.woodland@trust.tc)
2022-07-05 22:52:57

*Thread Reply:* @Ala Almaet darn. You'd think they’d explore that. I know EBF and Hypergate sell file clients that are UEM agnostic.

Nico Hermeling (nico.hermeling@outlook.com)
2022-07-06 09:31:30

*Thread Reply:* Out of curiosity, what's the use case for Docs@Work in an Intune environment?

mahiroux (mhyb.mk@gmail.com)
2022-07-06 12:33:56

*Thread Reply:* Our use case is to access On premise CIFS network share.

mahiroux (mhyb.mk@gmail.com)
2022-07-06 12:37:28

*Thread Reply:* I am in touch with EBF sales team and probably arrange a POC soon.

Anyone here using Hypergate for the same scenario?

💪 Woody
Woody (eric.woodland@trust.tc)
2022-07-06 14:51:24

*Thread Reply:* @mahiroux While I don’t personally know anyone using Hypergate in the field, I’ve set it up a few times. It’s pretty much straight to the point

Mikey2000 (mscottscranton079@gmail.com)
2022-07-14 10:15:35

Having an issue with Zebra RC93 (work managed enrollmet) - 2 private apps will not get installed on some of these devices. On one zebra device (also RC93) the installation works and also on Samsung smartphones there is no issue. We have no clue why the apps are not pushed on these devices. Any ideas? Other apps like Google Chrome have no issues - they get pushed.

Matt Dermody (jmdermody@gmail.com)
2022-07-14 17:55:53

*Thread Reply:* My guess would be a hardware requirement that the device doesnt meet. MC93s can be optionally equipped with a camera so my guess would be the app requires camera access and the MC93s that aren’t installing don’t have cameras

Mikey2000 (mscottscranton079@gmail.com)
2022-07-14 18:01:40

*Thread Reply:* You are right - the device where it worked has a camera, so very good hint. MC93C is the one where it works - C for Camera? So ask the developer about the hardware requirements? Is there a log where I might find details about that? I have pulled ADB logs and bug report but nothing useful.

Matt Dermody (jmdermody@gmail.com)
2022-07-14 18:10:09

*Thread Reply:* I think the developer would have to resolve this somehow yeah. I want to say its Google Play that is detecting that the camera is requested somewhere in the app manifest and refusing to install it on devices without cameras in order to avoid frustrating/ confusing the end user. Its a consumer grade protection feature that can get in the way in situations like this. I think you may be able to install the APK directly on the devices without involving Google Play if the developer can provide you with a copy. That might be the easiest route unless the app truly needs the camera for a given workflow.

Mikey2000 (mscottscranton079@gmail.com)
2022-07-14 18:20:55

*Thread Reply:* Great, thanks Matt. 🙏 Maybe there is a way to find hints about the hardware requirements in the app permissions within the iFrame?

Mikey2000 (mscottscranton079@gmail.com)
2022-07-14 18:21:20

*Thread Reply:* Just in case if the developer is not willing to invest time 😃

Matt Dermody (jmdermody@gmail.com)
2022-07-14 18:59:34

*Thread Reply:* You could potentially download the APK from an APK mirror and then unzip it to extract the manifest to inspect it yourself

🙏 Mikey2000, Phil Hackett
Matt Dermody (jmdermody@gmail.com)
2022-07-14 19:00:02

*Thread Reply:* but if it is a private app published just to your org id it likely won’t be in an apk mirror

Mikey2000 (mscottscranton079@gmail.com)
2022-07-14 19:00:26

*Thread Reply:* I have the apk

Matt Dermody (jmdermody@gmail.com)
2022-07-14 19:01:08

*Thread Reply:* I’ve used this before: https://www.sisik.eu/apk-tool

sisik.eu
Mikey2000 (mscottscranton079@gmail.com)
2022-07-14 19:02:49

*Thread Reply:* Awesome - thanks Matt 🙏

Mikey2000 (mscottscranton079@gmail.com)
2022-07-15 20:13:43

*Thread Reply:* I have checked the manifest:

<uses-feature android:name=android.hardware.nfc android:required=false

and

<uses-permission android:name=android.permission.CAMERA

so if the device has no camera, will the permission tag prohibit the installation? Or rather the android.hardware.nfc if the device has no NFC? Even though its not required.

Our developer will provide a new APK on Monday.

Matt Dermody (jmdermody@gmail.com)
2022-07-15 20:39:32

*Thread Reply:* I think without the camera it will potentially install if sideloaded, but the app itself may become unstable or crash depending on if the developer has designed it to gracefully handle a lack of camera.

Matt Dermody (jmdermody@gmail.com)
2022-07-15 20:39:59

*Thread Reply:* Depending on what the app does it may have a workflow that requires a camera at some point and without that the app may crash or create a dead end for the end user.

Mikey2000 (mscottscranton079@gmail.com)
2022-07-21 19:54:23

*Thread Reply:* You hit the nail right on its head - developer changed the hardware requirements. Now it works. Thanks Matt, learned something again 👍

👍 Matt Dermody
Mikey2000 (mscottscranton079@gmail.com)
2022-07-20 11:52:25

Any idea why this happens on Core locating a device? I am thinking either a browser issue or a FW block - if I try this from an external workstation it works.

Woody (eric.woodland@trust.tc)
2022-07-20 14:03:46

*Thread Reply:* Core is trying to load resources from Mapquest. I'd put money on a proxy config or firewall rule blocking it.

👍 Jason
Rob B (robtb1990@gmail.com)
2022-07-25 17:27:01

na2 down again. Wonderful

😭 Woody
Mikey2000 (mscottscranton079@gmail.com)
2022-08-03 17:05:16

Does the blacklist key value pair within Web@Work work both for Android and iOS?

Woody (eric.woodland@trust.tc)
2022-08-03 20:52:57

Can someone provide me a visual of the MI Cloud option to exclude local users from SSO/SAML once it is configured?

Clark (76clark@gmail.com)
2022-08-03 22:37:23

*Thread Reply:* sent you one via DM

Woody (eric.woodland@trust.tc)
2022-08-03 23:19:30

*Thread Reply:* Thanks @Clark!

👍 Clark
Woody (eric.woodland@trust.tc)
2022-08-09 04:16:04

Wouldn’t you know, mid-way through maintenance and NA2 goes south. 😑 https://status.ivanticloud.com/incidents/bp4rj7z9b04b

status.ivanticloud.com
Woody (eric.woodland@trust.tc)
2022-08-16 20:00:54

NA2 is acting up again. https://status.ivanticloud.com/incidents/kp6lpt63mcnd

status.ivanticloud.com
Woody (eric.woodland@trust.tc)
2022-08-23 02:42:27
🤣 Nick Knight, Jason, Christian Andrésen
Kiran Patel (kiran@kiranpatel.net)
2022-08-30 02:44:21

We've had so many outages lately with NA2 its crazy right @John Zmyslowski lol

😭 Woody
Gary (mcconnell.gary@gmail.com)
2022-09-14 12:02:49

We have a customer which still has android devices in device admin mode and native samsung email configured via an exchange profile on o365. With o365 disabling basic authentication does anyone have any ideas if it is possible to push an oauth capable exchange profile for android or any other scalable solution?

Clark (76clark@gmail.com)
2022-09-14 13:25:49

*Thread Reply:* Without switching to AE all other options would require users to set up the email themselves. Cant push an Exchange config to samsung email app that uses modern auth when doing DA

👆 Woody
Gary (mcconnell.gary@gmail.com)
2022-09-14 13:32:56

*Thread Reply:* Hi Clark, That's confirming our same conclusion. Thanks for the reply

Rajesh Kumar (rajes20@gmail.com)
2022-09-16 13:38:52

*Thread Reply:* I think you can enable the modern auth with samsung native email app. Samsung native email app does support moden auth now. You need to make or add some custom config for this. Check on samsung website but not sure about DA mode.

Mikey2000 (mscottscranton079@gmail.com)
2022-09-27 18:30:36

Is there a way to allow Safari for MobileIron Access?Even tough Safari is using the Tunnel it shows up on Access as unmanaged application.

Kiran Patel (kiran@kiranpatel.net)
2022-10-04 02:13:30

*Thread Reply:* @Mikey2000 we have this working. What does your VPN profile look like under Safari domains?

Chris Bensing (chris.bensing@trust.tc)
2022-10-11 20:00:12

@Chris Bensing has joined the channel

Chris Bensing (chris.bensing@trust.tc)
2022-10-11 20:01:43

Hello all. I'm trying to determine if its possible to deploy a Windows Provisioning Package wrapped in a PowerShell script to Windows 10/11 devices using MobileIron Cloud. Any help is appreciated.

Florent N. (Florent.NOSARI@econocom.com)
2022-10-11 20:06:51

*Thread Reply:* Maybe creating a msi file which install the ppkg using PowerShell https://learn.microsoft.com/en-us/powershell/module/provisioning/install-provisioningpackage?view=windowsserver2022-ps

learn.microsoft.com
Chris Bensing (chris.bensing@trust.tc)
2022-10-11 20:07:37

*Thread Reply:* Thx, I'll take a look.

Justin Butts (justin.butts777@gmail.com)
2022-10-13 17:59:04

MI Core - BYOD Android with Work Profile - Retire command dissappears the device from the console and then the device just continues chugging along, fully enrolled

Justin Butts (justin.butts777@gmail.com)
2022-10-13 17:59:07

anyone seen this?

Justin Butts (justin.butts777@gmail.com)
2022-10-13 18:04:50

*Thread Reply:* Device remained fully managed with full access until I forced a manual check in within MobileIron App > Settings > Force Check in....the check in button from the MI App splash page does absolutely nothing

Justin Butts (justin.butts777@gmail.com)
2022-10-13 18:05:10

*Thread Reply:* I can count on zero hands how many people are going to perform that action post retire

Mark Vonk (mark.vonk@dahvo.com)
2022-10-13 21:18:06

*Thread Reply:* I have seen it take some time and a manual check-in does force it. Check the setting in the sync policy to confirm the device does check-in regularly

Ricardo Simiao (ricardo.simiao@gmail.com)
2022-10-24 16:06:25

@Ricardo Simiao has joined the channel

Peuge (peuge.benjamin@gmail.com)
2022-10-26 15:05:25

What is going on at Ivanti. Customers are Jumping ship from MobileIron to InTune. and Its painful to watch.

Matt Dermody (jmdermody@gmail.com)
2022-10-26 15:28:27

*Thread Reply:* A lot of people are jumping ship to Intune from my perspective

Matt Dermody (jmdermody@gmail.com)
2022-10-26 15:30:17

*Thread Reply:* Intune is very competitively priced and wrapped up into an o365 subscription for ease of billing. I think it’s also part of the whole “no one ever got fired for bringing in IBM/Microsoft” mentality at the CIO level.

Matt Dermody (jmdermody@gmail.com)
2022-10-26 15:30:59

*Thread Reply:* In my experience with Intune however it is incredibly poor at handling the use case I care about (fully managed Android devices) and customers are not realizing that until its too late.

👆 Woody, Todd Cole
👆:skin_tone_2: Prip
Peuge (peuge.benjamin@gmail.com)
2022-10-26 15:40:41

*Thread Reply:* @Matt Dermody I completely agree with you. This situation is so cringey

Prip (prithviprasadk@hotmail.com)
2022-10-26 20:19:54

*Thread Reply:* the end is near

😆 Woody
Woody (eric.woodland@trust.tc)
2022-11-01 19:41:04

*Thread Reply:* Also have to remember… every decade or so senior level management rotates out. New blood seeking “new” ways to show how they’re helping the company. The MS value proposition/price is very attractive to people in those positions. Then in 10 years, it’ll be time for the waves to go back out b/c Intune isn’t meeting their needs.

👏 Paul Troisi
YAS (esteem143@gmail.com)
2022-11-21 16:41:22

*Thread Reply:* On March 31, 2024, Ivanti Endpoint Manager (EPM) will end support for managing iOS and Android devices. EPM will continue supporting Windows, macOS and Linux.

This notification applies to customers who purchased EPM prior to January 1, 2022. Customers who purchased EPM on or after January 1, 2022 are not entitled to iOS and Android management.

Clark (76clark@gmail.com)
2022-11-21 18:45:37

*Thread Reply:* customers will need to use Ivanti EPMM instead (new name for Core) or go Cloud based with Ivanti Neuron for MDM (rebranded name for MI Cloud)

👍 Woody
👍:skin_tone_2: Prip
macbentosh (benbergthold@gmail.com)
2022-10-27 20:39:16

How would one create an advanced search if a device has a. App installed?

Prashanth (rprashanth1994@gmail.com)
2022-11-21 14:37:47

@Prashanth has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2022-11-22 07:04:17

We are in transition from MobileIron to Intune. We are not doing a factory reset on enrolled devices, only retire and re-enrollment via Company portal app. We want to keep a couple of apps which have been deployed via MobileIron and also deploy the Company portal via MobileIron and leave it on the device after retirement from MobileIron. The option „Remove app when removed from MDM“ within the app settings is disabledX My question: If apps have been deployed via VPP, the license will be revoked. Will that also be an issue with keeping the app on the devive? My guess is yes.

Mathieu Beaugrand (beaugrandma@gmail.com)
2022-11-22 09:21:47

*Thread Reply:* From memory there is a 30 day grace period, so if the new UEM replaces the VPP license key within the grace period, you should be good.

🙏 Mikey2000, Woody
Woody (eric.woodland@trust.tc)
2022-12-06 02:35:44

Anyone in the MI Cloud/Ivanti Neurons world seen “Could not retrieve license for the app with iTunes Store ID xxx” in the past couple of days?

Update: this was resolved by wiping and re-enrolling the device. I will say that the customer had failed to update their ABM T&CS and I thought that might be having some bearing on it, but this was the sole device that exhibited this symptom. Couldn’t reproduce on any others.

Mikey2000 (mscottscranton079@gmail.com)
2022-12-14 15:35:51

How would you design the transition from KCD with Exchange On-Prem to Exchange Online? What are the options for SSO (Core)?

Clark (76clark@gmail.com)
2022-12-15 13:23:00

*Thread Reply:* Cert based auth or Access are your two options I can think of.

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2022-12-15 13:24:25

*Thread Reply:* Is there a good guide how to configure CBA with MobileIron and Exchange Online?

Clark (76clark@gmail.com)
2022-12-15 13:25:53

*Thread Reply:* you would need to provide more details on the environment. What is the IDP?

Mikey2000 (mscottscranton079@gmail.com)
2022-12-15 13:27:46

*Thread Reply:* We have PHS, so no federated domain with ADFS

Clark (76clark@gmail.com)
2022-12-15 13:32:08

*Thread Reply:* if you are using Azure, which I think you are saying (correct me if I am mistaken), then see this article: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication

learn.microsoft.com
Gary (mcconnell.gary@gmail.com)
2022-12-15 21:17:52

*Thread Reply:* we have successfuly tested in our lab CBA with exchange online in combination with conditional access rules - if no certificate is presented the users get prompted for 2FA. We have also been using CBA for years with Exchange online and it works well. Very easy to configure via powershell. PM me if you want further info

👆 Woody, Mikey2000
💪 Woody
Mikey2000 (mscottscranton079@gmail.com)
2022-12-20 08:58:14

We are in the transition from MobileIron to Intune. Within the MobileIron Core Admin Portal we have NOT set the option „Remove app when MDM profile is removed“ for MS Authenticator. But If we retire a device, MS Authenticator will still get removed - even though the app is managed! Any ideas?

Woody (eric.woodland@trust.tc)
2022-12-20 17:26:12

@Mikey2000 that’s interesting. So the flag is not set to remove on MS Authenticator, but it is removing itself when a retire is initiated?

Mikey2000 (mscottscranton079@gmail.com)
2022-12-20 17:27:30

*Thread Reply:* Exactly! But not on every device.

Mikey2000 (mscottscranton079@gmail.com)
2022-12-20 17:28:19

*Thread Reply:* But we have not found a pattern whats wrong.

Clark (76clark@gmail.com)
2022-12-20 17:48:05

*Thread Reply:* was it enabled at one point to be removed and someone updated it so it was no longer set to be removed?

Mikey2000 (mscottscranton079@gmail.com)
2022-12-20 17:50:37

*Thread Reply:* Exactly! We have updated it a couple of weeks ago. Originally it was always set to remove after retire.

Clark (76clark@gmail.com)
2022-12-20 17:53:29

*Thread Reply:* I was told my support a while back that this setting will only get updated on an app already installed after there has been an update pushed to the app by the vendor. FRom Core I would recommend pushing updates to those that are available for to help with not removing the app. Last update was on Dec 14, 2022 so there is a good chance this will catch a lot of people and help with not removing the app

Mikey2000 (mscottscranton079@gmail.com)
2022-12-20 17:58:19

*Thread Reply:* Holy sh**, that I some great input. Thanks a lot Clark. That could explain it. You mean push updates for the Authenticator app? How can I push updates l, do you mean the automatic app update checkbox within the app settings?

Clark (76clark@gmail.com)
2022-12-20 18:09:10

*Thread Reply:* Really shocking how most Core customers are not aware of this feature but check the box next to Authenticator > Actions > Installation Request and then configure the pop up like the below and click Apply

Woody (eric.woodland@trust.tc)
2022-12-20 18:10:03

*Thread Reply:* So @Clark if you change the flag and you push an update… it effectively updates the state of the flag on the device without re-installing the app?

Woody (eric.woodland@trust.tc)
2022-12-20 18:10:13

*Thread Reply:* Does that carry-over into MI Cloud as well?

Clark (76clark@gmail.com)
2022-12-20 18:10:18

*Thread Reply:* as devices check in they will receive the prompt to update unless they are DEP and it should then be silent

Clark (76clark@gmail.com)
2022-12-20 18:11:15

*Thread Reply:* @Woody app is already managed, this is just telling the app to update to the latest version and when doing so changes you did for the app in Core like not uninstalling should then take affect

Mikey2000 (mscottscranton079@gmail.com)
2022-12-20 18:11:22

*Thread Reply:* Right, forgot about this one. :facepalm::skintone_2: Thanks

Woody (eric.woodland@trust.tc)
2022-12-20 18:12:14

*Thread Reply:* Okay. Just to be clear though, if an app is set not to uninstall on unenrollment and you change that preference… is there a way to push the updated setting to the already-installed app?

Clark (76clark@gmail.com)
2022-12-20 18:13:00

*Thread Reply:* as far as I am aware of no, unless there is an update to the app version or the user uninstalls and reinstalls

🙏 Mikey2000, Woody
Woody (eric.woodland@trust.tc)
2022-12-21 05:02:42

*Thread Reply:* @Clark oh, that’s nice. So if the vendor releases an updated version of the app (say via App Store), the updated managed payload (with preference to uninstall) would then be applied? Could be useful down the road.

David Arvidsson (david.arvidsson@outlook.com)
2022-12-21 09:26:29

@David Arvidsson has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2023-01-12 08:43:24

How do you guys handle enrollment via KME for MobileIron Core in terms of labels? I want to enroll COBO and WPoCOD. If a filter label can be used, how would the query look like? Do I still need the JSON within the KME profile like described in the Ivanti document for KME?

Raul (rnadal@mobileiron.com)
2023-01-12 13:09:53

Hey,

No, you don’t need to add any DPC extras to KME.

WP-C or DO mode deployment is determined by the config you send from Core

Mikey2000 (mscottscranton079@gmail.com)
2023-01-25 17:43:21

*Thread Reply:* Right. But normally you have one AE enrollment config for WPoCOD and a separate one for COBO. Which filter property would you use? Because both are DO / Work Managed.

Raul (rnadal@mobileiron.com)
2023-01-25 17:44:55

*Thread Reply:* What’s the criteria you are looking for to distinct when user provision a device in DO mode and when in COPE/WP-C?

Mikey2000 (mscottscranton079@gmail.com)
2023-01-25 17:48:20

*Thread Reply:* I don’t know the exact wording, but we used the Registration Status (like work managed) within the filter label. Its Work Managed and Work Managed with Profile or something like that. Finally we ended up using LDAP groups

Raul (rnadal@mobileiron.com)
2023-01-25 17:50:33

*Thread Reply:* Yes, but I’m asking what would be the expected behavior.

What is the expected behavior .

Are you looking for defining from ZT/KME the expected AE deployment instead of from UEM side?

Mikey2000 (mscottscranton079@gmail.com)
2023-01-25 17:51:32

*Thread Reply:* Yes we enroll via KME. So the profiles within KME should match the correct AE config on Core

Raul (rnadal@mobileiron.com)
2023-01-25 17:52:31

*Thread Reply:* Because M@W supports passing keys so you should be able to apply a custom attribute to devices provisioned with a given ZT or KME or QR code

Mikey2000 (mscottscranton079@gmail.com)
2023-01-25 17:53:08

*Thread Reply:* That is exactly what I am looking for

Raul (rnadal@mobileiron.com)
2023-01-25 17:53:24

*Thread Reply:* If you check MI Provisioner you will see fields at the bottom when you select M@W

Mikey2000 (mscottscranton079@gmail.com)
2023-01-25 17:53:51

*Thread Reply:* Thanks, great hint!

Raul (rnadal@mobileiron.com)
2023-01-12 13:10:52

There was a phase I of WP-C support when a parameter was required but you don’t need it anymore

🙏 Mikey2000
Raul (rnadal@mobileiron.com)
2023-01-12 13:11:11

Same on ZT config or QR

Allison Smith (allison.smith@disney.com)
2023-01-20 16:25:02

@Allison Smith has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2023-01-25 17:39:42

Has anyone active Windows enrollments with Core? Trying to set up a Wifi via CBA. SCEP pushes the certificate, is visible on the Windows client. Same goes for the WiFi profile. But If I try to connect it asks for a client certificate - which is there. Any ideas what I might miss? Are fresh Windows enrollments still supported with Core?

Raul (rnadal@mobileiron.com)
2023-01-25 17:59:57

They are supported and if you are pushing the cert to the User store, that should work

Woody (eric.woodland@trust.tc)
2023-01-30 18:59:01

https://status.ivanticloud.com/incidents/dslxsm6rfk6j

status.ivanticloud.com
Mikey2000 (mscottscranton079@gmail.com)
2023-02-08 11:34:15

We have connected GraphAPI with Core so we can use App Protection Policies with Microsoft apps on MobileIron devices. Problem is, the check-in count of the App Protection Policy stays 0, the policy will not apply. Policy is applied to the app. The user has an Intune license and is member of the group which the policy has been applied. Did I miss anything else? What could be the issue - logs?

Mikey2000 (mscottscranton079@gmail.com)
2023-02-08 12:57:00

Automatic app updates on iOS - some devices install automatic app updates but others won’t. All devices have the same label and have an working check-in. Are there any device settings that might prevent the automatic app update?

Rajesh Kumar (rajes20@gmail.com)
2023-02-08 13:03:11

May be auto update is disabled on the device end..

Mikey2000 (mscottscranton079@gmail.com)
2023-02-09 21:54:32

*Thread Reply:* Good point. Yes VPP

Rajesh Kumar (rajes20@gmail.com)
2023-02-08 13:03:16

Is it VPP apps

Mikey2000 (mscottscranton079@gmail.com)
2023-02-11 07:28:35

*Thread Reply:* Yes

Rob B (robtb1990@gmail.com)
2023-02-13 17:06:29

Is it me, or is MI Clouds reporting capabilities lacking compared to other MDMs? Was trying to make a report of Employee Owned devices where the users are in a specific AD group, with a specific app installed.

Only way I have been able to pull that info is to download two separate reports and compare the data in Excel to get the info I need.

Florent N. (Florent.NOSARI@econocom.com)
2023-02-13 17:35:11

*Thread Reply:* Did you try with custom search?

Rob B (robtb1990@gmail.com)
2023-02-13 17:40:48

*Thread Reply:* Is that just doing an advanced search under Devices?

Florent N. (Florent.NOSARI@econocom.com)
2023-02-13 17:54:12

*Thread Reply:* I wanted to mean advanced sorry

👍 Rob B
Woody (eric.woodland@trust.tc)
2023-02-13 19:31:57

*Thread Reply:* IMHO… while MI Cloud is easy to use and is for the most part stable/available… I don’t think I’ve seen any improvement/innovation on product in quite some time.

🤙 Rob B, Peuge
Rob B (robtb1990@gmail.com)
2023-02-14 01:37:11

*Thread Reply:* Agreed @Woody. I've only just started managing it a little under a year ago and it feels a few steps behind other MDMs.

👍 Woody
Woody (eric.woodland@trust.tc)
2023-02-14 02:34:27

*Thread Reply:* @Rob B I consider it to be a happy medium between some of the more basic ones like Meraki and then the super in-depth offerings like WS1. Just really comes down to your needs and budget.

👍 Rob B
Peuge (peuge.benjamin@gmail.com)
2023-03-01 21:51:24

*Thread Reply:* @Rob B I have a few scripts you can use. It will export to csv and it written in powershell. Let me know which fields you need I got you.

💪 Woody
Kevin Aulbach (kevin.aulbach@thegema.eu)
2023-02-14 12:20:22

@Kevin Aulbach has joined the channel

David S (David.Shields@Sci-us.com)
2023-02-14 17:12:49

@David S has joined the channel

Lewei Z (leweizhang19@gmail.com)
2023-02-15 07:35:45

@Lewei Z has joined the channel

Katja H (katja.hakoneva@goto.com)
2023-02-15 12:46:01

@Katja H has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2023-03-22 12:54:18

Is there a way to change Cores enable secret via SSH?

Almar Diehl (almar.diehl@blaud.com)
2023-03-22 16:26:10

Sure!

Woody (eric.woodland@trust.tc)
2023-03-22 20:06:47

Has anyone tested enrollment of an AE device via ZeroTouch for a MI Cloud tenant that is using AzureAD for auth? Trying to determine if MI Go will keep prompting for U/P in a form or if it will redirect to AAD for auth. So far I’ve only seen the former, but wonder if there is a DPC Extra etc that I need to add to make it all work?

Woody (eric.woodland@trust.tc)
2023-03-23 18:14:58

*Thread Reply:* Figured this out. I had “server URL” in my ZTE config and that was stopping MI Go from allowing username entry/lookup (and subsequent modern auth for said user).

👍 Rob B
Gary (mcconnell.gary@gmail.com)
2023-05-16 11:00:54

*Thread Reply:* Hi Woody, can you share the example DPC json that you are using? thanks Gary

Woody (eric.woodland@trust.tc)
2023-05-22 20:37:23

*Thread Reply:* @Gary — This was for a customer, so let me see if I can scrub it and send

Peuge (peuge.benjamin@gmail.com)
2023-03-27 19:45:16

Is there a way for Android 13 Devices in MI to register the serial under work profile and not work managed

Jason Bayton (jason@bayton.org)
2023-03-27 20:16:50

*Thread Reply:* Profile owners don't get access to device identifiers, so not really

👍 Matt Dermody
Peuge (peuge.benjamin@gmail.com)
2023-03-27 20:27:03

*Thread Reply:* Thanks for cleaning up

Jason Bayton (jason@bayton.org)
2023-03-28 16:35:31

What happened to the CORE download page? https://support.mobileiron.com/support/download

Florent N. (Florent.NOSARI@econocom.com)
2023-03-28 17:34:45

*Thread Reply:* https://support.mobileiron.com/support/CDL.html is still working fine

Jason Bayton (jason@bayton.org)
2023-03-28 17:44:12

*Thread Reply:* Oh perfect, wrong link saved I guess :)

😆 Woody
Mikey2000 (mscottscranton079@gmail.com)
2023-03-29 19:00:45

Intune Partner Compliance with MobileIron Core. Is it possible to add multiple MobileIron Cores to one tenant? Microsoft states there is a limit for one partner per platform, so I guess this is not possible.

Mark Vonk (mark.vonk@dahvo.com)
2023-03-29 20:51:09

*Thread Reply:* Well you can add multiple, as long as each Core only services one platform.

👍 Mikey2000, Woody
Mikey2000 (mscottscranton079@gmail.com)
2023-03-29 21:08:20

*Thread Reply:* I see.. like Core 1 only iOS and Core 2 only Android. This is not the case. We have 3 Core instances in our company with iOS and Android on every Core.

Mark Vonk (mark.vonk@dahvo.com)
2023-03-30 08:49:40

*Thread Reply:* No, indeed, that won’t work

Mikey2000 (mscottscranton079@gmail.com)
2023-03-31 18:16:12

Can anyone explain what is causing this? We have a lot if devices where W@W brings up the message „not authorised“. User is compliant. AppConnect Policy is applied. W@W feature is globally enabled.

Woody (eric.woodland@trust.tc)
2023-04-20 20:54:03

Did the MobileIron Go to Ivanti Go changeover break KnOX KME for anyone else? Guessing the location/name of the APK changed and therefore KNOX can’t access it anymore.

Mark Vonk (mark.vonk@dahvo.com)
2023-04-20 21:26:56

*Thread Reply:* The package name is still the same though, com.mobileiron.anyware.android, from what I see. In the KME configuration, how did you configure the MDM client part?

Woody (eric.woodland@trust.tc)
2023-04-20 21:44:43

*Thread Reply:* It appears the package is still available at https://support.mobileiron.com/cloud-android/current/MobileIron-Go-latest.apk

Rob B (robtb1990@gmail.com)
2023-04-20 22:44:09

*Thread Reply:* Seems like the app icon/branding is updated in the Play store, but after its installed its still called MobileIron Go with the old blue M icon.

On iOS it still looks like the old name and icon.

Seems kind of odd

Woody (eric.woodland@trust.tc)
2023-04-21 17:09:02

*Thread Reply:* Can confirm, it was a coincidence that the Go app was rebranded at the same time my customer had an issue. Turns out theirs was stemming more from lack of licensing in the Samsung Intelligence app. She mentioned she was seeing the new Ivanti Go and that’s what threw me off.

👍 Rob B
Woody (eric.woodland@trust.tc)
2023-04-26 15:28:45

Hey gang — Can anyone remind me, if no check-box is selected on the Core ACLS… does that mean that said service is not exposed/accessible (or is otherwise wide-open for access)?

Mark Vonk (mark.vonk@dahvo.com)
2023-04-27 18:43:22

*Thread Reply:* It is wide open; services are exposed to all. You need to check the box and limit it to the IPs you need to expose it to.

👍 Woody
Woody (eric.woodland@trust.tc)
2023-05-08 13:54:06

*Thread Reply:* Perfect. Thanks @Mark Vonk!

Glen Friedman (glen.friedman@gmail.com)
2023-04-28 20:57:22

@Glen Friedman has joined the channel

Woody (eric.woodland@trust.tc)
2023-05-08 13:54:25

Nice to see MI Cloud gaining support for ChromeOS.

alexm (alex.mormocea@gmail.com)
2023-05-18 11:48:38

@alexm has joined the channel

Woody (eric.woodland@trust.tc)
2023-06-23 14:55:38

Anyone on MobileIron Cloud having an issue enrolling Apple devices?

Woody (eric.woodland@trust.tc)
2023-06-23 15:17:11

Weird. Only seems to be occurring from my test iPod Touch (7th Gen). Must be an issue with the version of iOS it’s running on (15.7.6). Bumping it up to 15.7.7

Woody (eric.woodland@trust.tc)
2023-06-23 16:16:16

Interesting. Same result from 15.7.7

Mark Vonk (mark.vonk@dahvo.com)
2023-06-24 19:58:45

Maybe WiFi vs 4/5G issue?

Woody (eric.woodland@trust.tc)
2023-06-26 15:30:08

@Mark Vonk nah, I tried WiFi and Cellular Hotspot. Behaved the same way on both

Jeremy (jeremy@bodokh.com)
2023-06-26 15:32:52

The log are showing a 500 error from MobileIron server

Woody (eric.woodland@trust.tc)
2023-06-26 15:33:33

Right @Jeremy — Oddly enough it doesn’t throw that same error for iOS 16 devices

Jeremy (jeremy@bodokh.com)
2023-06-26 15:34:28

Yeah, either MobileIron investigate this, or you keep trying to find the variable that triggers this issue 🕵️‍♂️

👍 Woody
Woody (eric.woodland@trust.tc)
2023-06-26 16:19:14

@Jeremy I’m gonna submit a ticket and say a prayer LoL

Mark Vonk (mark.vonk@dahvo.com)
2023-07-05 07:57:05

*Thread Reply:* Did you ever manage to get this fixed?

Woody (eric.woodland@trust.tc)
2023-07-10 13:50:48

*Thread Reply:* @Mark Vonk admittedly it stopped occurring for me. Are you still seeing it?

Lucile Riand (lucile.riand@ebf.com)
2023-06-29 17:11:36

Hi! Do you know if in MIron Core, there is a way to check/change the rate limit of the API Commands that the MDM will accept in 24h or in one hour before it will stop answering any requests? I know Workspace One has a ‘daily quota’ setting parameter, but which one will be the equivalent in MICore and where can we access it?

Mark Vonk (mark.vonk@dahvo.com)
2023-06-29 18:09:11

*Thread Reply:* As far as I know there is no limit, unless you are killing the Core with API requests 😉 in that case you are limited to the resources applied to the Core.

👍 Lucile Riand
Lucile Riand (lucile.riand@ebf.com)
2023-06-29 18:51:01

*Thread Reply:* Thank you Mark, that’s the direction that the team was going to, making sure enough CPU will handle a rush of API requests !

Mikey2000 (mscottscranton079@gmail.com)
2023-07-04 18:36:21

I need to change the interal IP addresses and the gateway configured for Core and Sentry. What is the best way to do that? 1.) change the IP address via System Manager 2.) add the new network to the VM

But I guess this won’t work if I change the gateway via System Manager, which will not be possible after I change the IP.

Should I rather change everything via CLI on VM console?

Mark Vonk (mark.vonk@dahvo.com)
2023-07-05 07:56:35

*Thread Reply:* You should do it from the VM console. In order not to get stuck in a loop I would add the VM network first. Then update the IP address and after that change the routes (gateway)

Mikey2000 (mscottscranton079@gmail.com)
2023-07-06 15:38:39

*Thread Reply:* Thanks worked like a charm

Mark Vonk (mark.vonk@dahvo.com)
2023-07-06 17:56:58

*Thread Reply:* 👍

Sebastiaan (sebastiaan.smits@twentynice.com)
2023-07-06 11:49:16

@Sebastiaan has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2023-07-06 15:41:19

We use certificates (SCEP) with Core for our WiFi. Today we have a lot of devices which cannot connect to the WiFi. The WiFi Config has the status „partially applied“ on these devices. What does that mean?

Almar Diehl (almar.diehl@blaud.com)
2023-07-06 15:43:55
Matt Dermody (jmdermody@gmail.com)
2023-07-06 15:51:01

*Thread Reply:* Are the devices A13? https://mobilxperts.slack.com/archives/C1V8JC31T/p1687943586782749?thread_ts=1687938080.448419&cid=C1V8JC31T

} Phil Hackett (https://mobilxperts.slack.com/team/UE09KBLUC)
Mikey2000 (mscottscranton079@gmail.com)
2023-07-07 08:23:51

*Thread Reply:* Interesting - thanks guys.

Phil Hackett (phil.hackett83@gmail.com)
2023-07-10 18:16:07

Ivanti have released details of a vulnerability (CVE-2023-25690) in Core 11.9.0.1 and below which allows unauthenticated users to receive responses which could include PII data.

https://www.cve.org/CVERecord?id=CVE-2023-25690

Need to upgrade to Core 11.10.0.1 or manually install a patch. See link for more details.

https://forums.ivanti.com/s/article/EPMM-Security-Concern-with-Server-Response-Leak

Mikey2000 (mscottscranton079@gmail.com)
2023-07-12 19:44:11

*Thread Reply:* In the first sentence of the article they mention that 11.9.0.1 and below is affected. There is also 11.9.1.0. So only 11.10.0.1 includes the fix and 11.9.1.0 is also affected - can anyone confirm this?

Phil Hackett (phil.hackett83@gmail.com)
2023-07-13 14:50:08

*Thread Reply:* From reading the article, 11.9.1.0 is also affected.

If you’re running an affected version, you will need to upgrade to 11.10.0.1 OR manually install the RPM package.

We’ll be installing the RPM, as we never run the latest release.

Peuge (peuge.benjamin@gmail.com)
2023-07-12 14:59:45

Good Morning, Is anyone else experiencing issues with the Users Section of the MIC UI. In two occations today my customers can only see the user that is signed in and no others. Is there a bug with the MIC UI?

Paul Troisi (ptroisi@troymobility.com)
2023-07-13 14:35:06

*Thread Reply:* Hey Peuge, how are you my friend? Hope all is well with you. I am not seeing any issues on NA1. What cluster are you having issues with, NA2? I have not heard of any problems from the customer base, which is mostly on NA2.

Peuge (peuge.benjamin@gmail.com)
2023-07-13 19:25:17

*Thread Reply:* Hey Paul,

Paul Troisi (ptroisi@troymobility.com)
2023-07-13 19:29:48

*Thread Reply:* Hey Peuge!

Peuge (peuge.benjamin@gmail.com)
2023-07-13 19:26:41

I have not touched AAD integration in a while. Looks like there are a lot of changes happening. I have a customer whos users are not syncing to MIC after the AAD integration. Am I missing something. this should happen automagically right?

Mikey2000 (mscottscranton079@gmail.com)
2023-07-18 11:44:18

Email+ on Android Enterprise - is there a way to see the subject from an appointment on the lockscreen? Should this be visible by default? Can anyone confirm this?

Thomas B. (tbosboom@apple.com)
2023-07-25 12:40:14

So, is everyone busy patching ~MobileIron~ Core ?

Almar Diehl (almar.diehl@blaud.com)
2023-07-25 12:52:42

*Thread Reply:* We just finished last weeks patching 🙂

❤️ Thomas B.
Thomas B. (tbosboom@apple.com)
2023-07-25 14:56:49

*Thread Reply:* (context: https://techcrunch.com/2023/07/25/ivanti-epmm-zero-day-norway-government-breach/)

TechCrunch
Written by
Carly Page
Est. reading time
3 minutes
Matt Dermody (jmdermody@gmail.com)
2023-07-25 15:31:53

*Thread Reply:* Yikes

Rob B (robtb1990@gmail.com)
2023-07-28 17:31:20

*Thread Reply:* We just got notified about another one a few minutes ago.

😆 Thomas B.
Rob B (robtb1990@gmail.com)
2023-07-28 17:31:31

*Thread Reply:* CVE-2023-35081

Almar Diehl (almar.diehl@blaud.com)
2023-07-28 17:59:51
Thomas B. (tbosboom@apple.com)
2023-07-28 18:01:46

*Thread Reply:* If I read correctly, this is the privilege escalation step used after the initial exploit patched earlier this week, same customers affected.

Almar Diehl (almar.diehl@blaud.com)
2023-07-28 18:03:23

*Thread Reply:* Yes, but the k-item also says "CVE-2023-35078 reduces the complexity of executing CVE-2023-35081". So even after patching 35078 customers are still vulnerable voor 35081.

Rob B (robtb1990@gmail.com)
2023-07-28 18:04:47

*Thread Reply:* my favorite part is we haven't been able to update our Core as we are getting a "download failed" error when updating.

We used the RPM fix in the interim. But with this new CVE it looks like we actually need the Core update to work correctly. Hopefully this 2nd call with Ivanti support can get it figured out

Mark Vonk (mark.vonk@dahvo.com)
2023-07-28 18:45:45

*Thread Reply:* The gift that keeps on giving 🫣

😆 Woody
Ala Almaet (ala@alaalmaet.com)
2023-08-08 06:07:37

*Thread Reply:* Those trying to keep up with all the Ivanti exploits CVE-2023-3582 impacts all versions of EPMM/Core. This article has details on the patch https://forums.ivanti.com/s/article/KB-Remote-Unauthenticated-API-Access-Vulnerability-CVE-2023-35082?language=en_US

Mikey2000 (mscottscranton079@gmail.com)
2023-08-23 18:21:02

We want to block iTunes backups on personal devices. We have a couple of terminals in our company where users can start and manage their backups. Am I still up to date that there is a way within the DEP profile to allow certain computers to connect to the devices - what do I need for that? A certificate from our terminal computers? We are on EPMM aka Core

Todd Cole (toddcole13@hotmail.com)
2023-08-23 19:36:46

*Thread Reply:* You can block USB to any machine that does not have the Supervision certificates on it.

👍 Rob B
Mikey2000 (mscottscranton079@gmail.com)
2023-08-23 20:01:54

*Thread Reply:* So I have to create a certificate with the Apple Configurator 2, use that cert within the DEP profile and every computer that has that cert installed is a trusted computer and can sync with the devices. Is that limited to macOS or can Windows also be used?

Todd Cole (toddcole13@hotmail.com)
2023-08-25 13:15:58

*Thread Reply:* The supervision certificate may already have been created but if not then yes create one with AC2 (macOS only) then use that on the machines you want to sync with. set the device to only allow sync with supervised devices.

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2023-08-25 14:55:48

*Thread Reply:* Ok, so create the cert only on macOS because of the AC2, but we can install the cert also on a Windows machine to be a trusted device? Or is this also just macOS?

Todd Cole (toddcole13@hotmail.com)
2023-08-25 17:52:59

*Thread Reply:* I am not sure, I know how the process works but I don’t use Windows machines so I have never tried. I would not hold my breath for it to work. Sorry I am not more help.

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2023-08-31 15:00:23

We are migrating from Exchange on-prem to EXO. I want to switch the exchange configs dynamically once the migration batch is finished and the user was successfully migrated to EXO. I want to create a dynamic label on EPMM(Core) which targets the AD property „msExchRemoteRecipientType“ = 4 Is this the right property or is there a different one - does anyone have experiences with that?

Almar Diehl (almar.diehl@blaud.com)
2023-09-01 19:22:38

*Thread Reply:* Never used this attribute but I think it should work. I always use the attribute MSExchHomeServerName. If it equals to the on-prem server the mailbox is not migrated yet.

🙏 Mikey2000
Bruce (bpayne@mobileiron.com)
2023-09-05 12:55:40

@Bruce has joined the channel

Bruce (bruciebonus41@gmail.com)
2023-09-28 10:49:59

@Bruce has joined the channel

Peuge (peuge.benjamin@gmail.com)
2023-10-03 23:00:14

hey yall. Anyon run into issues retiring APPLE iOS 16.6 + 17.x in Ivanti Neurons

Mikey2000 (mscottscranton079@gmail.com)
2023-10-16 09:05:23

We use MobileIron Core with a dynamic label for Android Enterprise enrollment with the Android.afw_capable is true. The Android Enterprise enrollment config enables Work Profile on Managed devices. So currently every Android device will get an Work Profile. Now we need to enroll a couple of Kiosk devices, which of course now will also receive that enrollment config due to the label. What is the best way to exclude the Kiosk devices? I have tried to add the registration status within the existing label - so only add COPE/WPoCOD and Work Profile to the label - but It looks like this breaks my Android enrollment (unsupported mode error) because of the time of the enrollment the device will not have that registration status and lands in the device admin enrollment.

What is the best way to solve this? Use an AD group within the label? I have plenty of COPE/WPoCOD devices, so I cannot remove that label and redesign it.

Jason Bayton (jason@bayton.org)
2023-10-16 09:07:32

I'd go AD group for exclusion, though if core supports precedence for labels a newer label with higher precedence may be cleaner.

**Haven't touched core in two years, by all means wait on better advice

🙏 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2023-10-16 09:59:47

We have a couple if Samsung tablets running on Kiosk with MobileIron Core. If the devices will nor be used in some time, they will lose the wifi-connection. Is there a way to prevent that - I guess the power saving mode is the killer. Deactivate it with KSP?

Florent N. (Florent.NOSARI@econocom.com)
2023-10-16 10:03:17

Personally I use custom attributes to differentiate enrollment modes (you can also pass it though qr code/zte)

👍 Mikey2000
Mikey2000 (mscottscranton079@gmail.com)
2023-11-07 22:06:48

Our firewall guy told me today that the Firewall marks a lot of traffic from Core and Sentry as highly suspicious. Core is the latest version, but Sentry is still 9.17. Could be that some of the previous exploits compromised our environment. Is there a list which traffic is expected?

Probo (cody.higgins@trust.tc)
2023-11-14 21:56:06

@Probo has joined the channel

Mikey2000 (mscottscranton079@gmail.com)
2023-12-19 17:12:20

Has anyone seen this issue? We remove the MDM profile from an Ivanti enrolled iOS device (Core), but after installing the Company Portal app the error message appears: device still enrolled with MobileIron On-Premise… and we cannot enroll the device. We also have wiped a device, but still the same message. How is this possible?

Mark Vonk (mark.vonk@dahvo.com)
2023-12-19 18:35:13

*Thread Reply:* That should not be possible, if you removed the MDM profile manually or performed a Retire command. Are these ABM devices?

Mikey2000 (mscottscranton079@gmail.com)
2023-12-19 18:36:55

*Thread Reply:* Our Core is offline because of a security incident, so no retire from Core possible. Yes some of these devices are ABM.

Mark Vonk (mark.vonk@dahvo.com)
2023-12-19 18:43:49

*Thread Reply:* What error do you get when Intune tries to implement its MDM profile?

Mikey2000 (mscottscranton079@gmail.com)
2023-12-19 18:49:37

*Thread Reply:* “This device is registered with MobileIron Device Compliance On-prem.”

Mikey2000 (mscottscranton079@gmail.com)
2023-12-19 18:50:12

*Thread Reply:* Oh wait just a minute - this is the partner compliance

Mikey2000 (mscottscranton079@gmail.com)
2023-12-19 18:51:28

*Thread Reply:* Of course - we have registered most of the devices in Azure with the Core Partner Compliance. So we have to remove the devices from Azure I guess.

Henry Heres (henry@technicalfellow.nl)
2023-12-20 08:20:08

*Thread Reply:* Intune is also registered with ABM now? If your moving around the ABM profile needs to be intune as well

Sherman Chen (sherm@me.com)
2023-12-19 17:45:13

Open a support ticket. something didn't get cleaned up correctly in the database

Mikey2000 (mscottscranton079@gmail.com)
2023-12-19 17:53:30

*Thread Reply:* You mean the database on Core? If we remove the profile manually on the device and uninstall the Ivanti app, how would a connection to Core be relevant?

Woody (eric.woodland@trust.tc)
2024-01-09 19:36:23

Okay -- Admittedly it's been a minute since I've enrolled an AE Work Managed Device (No Work Profile) into MI Cloud/Neurons MDM. Is there something more I need to do in order for the profile to install? Device gets through the Provisioner/QR/6x Tap startup wizard and then just sits there waiting for the profile. Have tested in 2x Ivanti tenants and am receiving the same result.

Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 19:39:09

*Thread Reply:* You need to assign the Android WPCoD configuration, not the Work Managed one

Woody (eric.woodland@trust.tc)
2024-01-09 19:41:08

*Thread Reply:* @Florent N. This one?

Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 19:42:18

*Thread Reply:* Yes

Woody (eric.woodland@trust.tc)
2024-01-09 19:42:46

*Thread Reply:* On it. Give me a few and I'll report back.

Woody (eric.woodland@trust.tc)
2024-01-09 19:45:45

*Thread Reply:* okay, that did the trick

Woody (eric.woodland@trust.tc)
2024-01-09 19:45:54

*Thread Reply:* So @Florent N. -- Part 2

Woody (eric.woodland@trust.tc)
2024-01-09 19:46:34

*Thread Reply:* For Rugged Devices (Honeywell/Zebra) is that applied to the Neurons/local "Service Account" that is created for those type devices?

Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 19:48:04

*Thread Reply:* @Woody did you use user groups?

Woody (eric.woodland@trust.tc)
2024-01-09 20:04:16

*Thread Reply:* @Florent N. I can. Presently just assigned directly to my test user

Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 20:05:14

*Thread Reply:* I did not understand your question sorry.

Woody (eric.woodland@trust.tc)
2024-01-09 20:05:45

*Thread Reply:* Sorry, it revolves around the use of Honeywell/Zebra scanner devices

Woody (eric.woodland@trust.tc)
2024-01-09 20:06:00

*Thread Reply:* Will they also need to have the Android WPCoD assigned?

Woody (eric.woodland@trust.tc)
2024-01-09 20:06:36

*Thread Reply:* Obviously going to follow the vendor's documentation/specifications, but at its core they should follow the same approach. Right?

👍 Florent N.
Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 20:06:49

*Thread Reply:* Only if you want work profile on them, if not use the other ae configuration

Woody (eric.woodland@trust.tc)
2024-01-09 20:07:18

*Thread Reply:* Work Profile (on a dedicated device) will just be the single profile... with no Work Satchel. Right?

Woody (eric.woodland@trust.tc)
2024-01-09 20:07:40

*Thread Reply:* I've tried all the other configs and they result in the same screen-shot I sent at the beginning of this thread

Woody (eric.woodland@trust.tc)
2024-01-09 20:08:51

*Thread Reply:* Or is that the stance going forward? That a Work Profile will be on the CoD irregardless

Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 20:09:08

*Thread Reply:* Are you using gms versions of Zebra OSs ?

Woody (eric.woodland@trust.tc)
2024-01-09 20:09:39

*Thread Reply:* I'm currently testing on Samsung Hardware. The customer will be responsible for the Zebra side of the house, I'm just mentally prepping so I can educate him

Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 20:10:03

*Thread Reply:* Work Profile is for BYOD

Woody (eric.woodland@trust.tc)
2024-01-09 20:10:08

*Thread Reply:* Right

Woody (eric.woodland@trust.tc)
2024-01-09 20:11:26

*Thread Reply:* So if I'm doing Company Owned/Dedicated Device... I should be using: Android enterprise: Work Managed Device (Android for Work)

👍 Matt Dermody
Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 20:15:00

*Thread Reply:* Yes if you don't want a work profile on them

Woody (eric.woodland@trust.tc)
2024-01-09 20:39:54

*Thread Reply:* @Florent N. is it possible to install the Android enterprise: Work Managed Device (Android for Work) profile by using the 6x taps? Or does it need to come through ZTE/KME to have that flag set?

Woody (eric.woodland@trust.tc)
2024-01-09 20:42:32

*Thread Reply:* It appears to still be a Android Work Managed Device, but I can't get that profile to push.

Woody (eric.woodland@trust.tc)
2024-01-09 20:42:37

*Thread Reply:*

Woody (eric.woodland@trust.tc)
2024-01-09 20:45:39

*Thread Reply:* Interesting. I got it to install, but had to reboot the device first

Florent N. (Florent.NOSARI@econocom.com)
2024-01-09 20:45:57

*Thread Reply:* It can take time sometimes

Woody (eric.woodland@trust.tc)
2024-01-10 02:27:57

*Thread Reply:* Okay, closure here. There's something up with Android 9 phones and the 6x Tap (QR code from Ivanti Provisioner) into Device Owner/CoD mode. They come through fine with KNOX KME, but don't provision properly using the taps. I tried the 6x tap with my S8 Tablet (Android 14) and it came right through. Guess it's about time to finally retire the old fleet of Android 9 units.

Woody (eric.woodland@trust.tc)
2024-01-11 01:43:23

*Thread Reply:* @Florent N. Even more closure: The phone I was testing with (I have two identical A10e units) isn’t registering its AE attributes correctly with Ivanti, therefore it isn’t added to the Android Enterprise group (and isn’t entitled to the profiles). I tested several times with my S8 Tablet and achieved success every time. Definitely time to retire these older units.

MDM (formacionabox@gmail.com)
2024-01-21 03:32:04

@MDM has joined the channel

Jason Asma (jason.asma@broadcom.com)
2024-01-21 22:20:52

@Jason Asma has joined the channel

Thomas B. (tbosboom@apple.com)
2024-01-23 13:00:25

https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities Just keeps givin’

Cybersecurity and Infrastructure Security Agency CISA
😆 Woody
🤣 Phil Hackett
Yashwanth (yash@codeproof.com)
2024-01-23 14:12:14

@Yashwanth has joined the channel

Santiago (uemsantiago@gmail.com)
2024-01-24 11:23:56

@Santiago has joined the channel

Toby Sansome (tobyjonsansome@googlemail.com)
2024-02-07 14:43:37

@Toby Sansome has joined the channel

nmizid (taakkait.mahmoud@gmail.com)
2024-02-12 14:25:19

@nmizid has joined the channel

Rob B (robtb1990@gmail.com)
2024-02-12 21:09:43

Anybody ever see a user who unenrolls from Ivanti Neurons, but Apps@Work stick and its still non-removable? Feel like I remember this happening once before to me with Maas360 and their apps store long ago but couldn't remember the fix.

Mikey2000 (mscottscranton079@gmail.com)
2024-02-13 16:06:29

I am looking for an integration guide for Ivanti Mobile Threat Defense with EPMM (aka Core) but I can only find the integration guide for Neurons (Cloud). Is EPMM not supported anymore?

Ala Almaet (ala@alaalmaet.com)
2024-02-13 21:44:43

*Thread Reply:* @Mikey2000 it hasnt really changed in a while it seems, especially as they are now pushing Lookout as the replacement to Ivanti MTD https://help.ivanti.com/mi/help/en_us/mtd/11.x/gdco/Content/LandingPage.htm

🙏 Mikey2000
Justin Butts (justin.butts777@gmail.com)
2024-03-05 19:40:01

*Thread Reply:* Oooh that's an extremely spicy question for Ivanti these days hahahah

🤣 Mikey2000, Ala Almaet
Mikey2000 (mscottscranton079@gmail.com)
2024-02-16 11:56:55

Are there currently any know issues with Samsung devices and email sync? I have more and more devices stopping email sync (Email+) after 24 hours. During the setup everything works fine, but after like 24 hours the sync stops. ActiveSync entry is still allow (EPMM). If I delete the entry, no new entry will be created.

Rob B (robtb1990@gmail.com)
2024-02-23 20:12:59

*Thread Reply:* We had that issue before and it was supposedly a known one that was worked out a while back. I think a year ago.

Haven't heard about it popping up again though. https://forums.ivanti.com/s/article/Email-and-gmail-randomly-fail-to-sync-on-Android-OS-13-devices?language=en_US

Aitor Gonzalez (aitor.gonzalez@seidor.com)
2024-02-16 13:17:21

@Aitor Gonzalez has joined the channel

Oco (omercohen3@gmail.com)
2024-03-11 09:38:33

@Oco has joined the channel

Leandro Nomid EMM (leandro@nomid.tech)
2024-03-11 18:03:59

@Leandro Nomid EMM has joined the channel

Florent N. (Florent.NOSARI@econocom.com)
2024-04-22 08:35:14

Hello, anyone knows where to find Core GMRC doc?

Mikko (msavolainen@outlook.com)
2024-04-24 10:47:08

@Mikko has joined the channel

Florent N. (Florent.NOSARI@econocom.com)
2024-04-26 17:37:01

Hello everyone, does anyone find a solution to set wallpaper on Zebra devices enrolled in Ivanti EPMM in aosp mode? It seems that OEM config does not work in this mode. I tried to find an intent for that but cannot find any.

Matt Dermody (jmdermody@gmail.com)
2024-04-26 21:34:49

*Thread Reply:* Almost 100% of Zebra devices I deploy and manage have a custom lockdown applied from the MDM and therefore the base wallpaper is never displayed to the end user. Are these devices not locked down?

Matt Dermody (jmdermody@gmail.com)
2024-04-26 21:36:08

*Thread Reply:* Also curious and a bit confused by what you mean by AOSP mode. All Zebra devices that have shipped since basically the WT6000 and TC8000 have been GMS with the exception of China based AOSP skus

Matt Dermody (jmdermody@gmail.com)
2024-04-26 21:36:50

*Thread Reply:* OEMConfig itself is an Android Enterprise feature typically deployed through Managed Play. If your devices are AOSP then OEMConfig may not be an option unless you EMM can handle “offline” managed configurations

Raul (rnadal@mobileiron.com)
2024-04-29 12:40:16

*Thread Reply:* On AOSP Mode on EPMM/Core you can use OEMConfig apps as well.

You just need to upload OEMConfig app as in-house, and you will see Managed Config inside.

The limitation is that same server won’t be able to deploy in-house (for AOSP) and public (for any other AE mode) version of same app, so if you are using same EPMM server, you just can do one or the other.

Now, On EPMM you can still push XML configs from StageNow to Zebra devices, regardless if they are AOSP or regular AE.

If StageNow meets your needs, I’d go this way instead of thru OEMConfig.

Hope it can help,

Florent N. (Florent.NOSARI@econocom.com)
2024-04-29 12:43:06

*Thread Reply:* I used Android devices usings AOSP/closed network. I need to change the wallpaper and lockscreen wallpaper. My config os never push and I have to trigger oem config change intent using adb but my config is never pushed. However, other app received the configuration.

Raul (rnadal@mobileiron.com)
2024-04-29 12:45:43

*Thread Reply:* When you say your config, which one do you mean?.

A XML you created on StageNow and uploaded to EPMM, then pushed to AOSP devices?

A Wallpaper config for DO mode created on EPMM and pushed to devices?.

A configuration created within in-house Zebra OEMConfig app and sent to AOSP devices?.

Which one?

Raul (rnadal@mobileiron.com)
2024-04-29 12:46:03

*Thread Reply:* You have 3 ways to do

Raul (rnadal@mobileiron.com)
2024-04-29 12:46:48

*Thread Reply:* If EPMM native wallpaper config is not working, I’d try creating XML on SN and pushing it to devices.

Raul (rnadal@mobileiron.com)
2024-04-29 12:48:20

*Thread Reply:* If you only have AOSP devices managed on this EPMM server, you can try uploading OEMConfig app as in-house, and remember to upload any app update manually, but if you also manage regular AE devices, better going with XML way

Raul (rnadal@mobileiron.com)
2024-04-29 12:49:12

*Thread Reply:* That should be enough

Florent N. (Florent.NOSARI@econocom.com)
2024-04-29 13:30:45

*Thread Reply:* I mean Zebra OEM config managed config (no status in app)

Florent N. (Florent.NOSARI@econocom.com)
2024-04-29 13:31:49

*Thread Reply:* I wanted to try using oeam config to use file transfer instead of remote server as variable cannot be used in xml config

Raul (rnadal@mobileiron.com)
2024-04-29 13:32:42

*Thread Reply:* Umm, weird that it’s not being pushed.

Florent N. (Florent.NOSARI@econocom.com)
2024-04-29 13:34:02

*Thread Reply:* Yeah, I had to trigger config change using adb to see a last update timestamp in app but still no status

Raul (rnadal@mobileiron.com)
2024-04-29 13:36:59

*Thread Reply:* I tested this on Samsung and worked but I have no Zebra devices to test

Raul (rnadal@mobileiron.com)
2024-04-29 13:37:18

*Thread Reply:* Did wallpaper config fail as well?

Florent N. (Florent.NOSARI@econocom.com)
2024-04-29 13:38:22

*Thread Reply:* Wallpaper config is not applied at all (not visible)

Raul (rnadal@mobileiron.com)
2024-04-29 13:42:04

*Thread Reply:* Got it.

You should open a support ticket then as I’ve mentioned, same in-house OEMConfig approach worked with other vendors on AOSP mode.

Florent N. (Florent.NOSARI@econocom.com)
2024-04-29 13:43:48

*Thread Reply:* Thanks for your help, I will do it then.

👍 Raul
Raul (rnadal@mobileiron.com)
2024-04-29 13:45:11

*Thread Reply:* Try with a Samsung device to compare, or any other one you may have that also has OEMConfig app. Registered as AOSP for sure.

Raul (rnadal@mobileiron.com)
2024-04-29 13:45:20

*Thread Reply:* This will help you to push ticket

Florent N. (Florent.NOSARI@econocom.com)
2024-04-29 13:46:28

*Thread Reply:* I will try on Samsung and see if it works. And maybe with legacy Zebra OEM config

👍 Raul
suraj suri (srjsuri44@gmail.com)
2024-05-06 11:52:57

@suraj suri has joined the channel

Florent N. (Florent.NOSARI@econocom.com)
2024-05-07 16:02:57

Just curious, why M@W process has a russian name?

Clark (76clark@gmail.com)
2024-05-10 16:00:16

*Thread Reply:* Guessing there was a Russian developer involved in the app at some point.

Florent N. (Florent.NOSARI@econocom.com)
2024-05-10 17:12:20

*Thread Reply:* It's funny to see dev history in some little things, there is something similar with One Drive app

Mark Vonk (mark.vonk@dahvo.com)
2024-05-17 08:26:08

There are three new CVEs on EPMM, fortunately a little less critical: https://forums.ivanti.com/s/article/KB-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-May-2024?language=en_US

👀 Thomas B., Matt Dermody, Woody
Kruit (ma.kruit@belastingdienst.nl)
2024-06-04 12:33:47

@Kruit has joined the channel

👋 Thomas B.
Nesrin Kalender (kalendernesrin@gmail.com)
2024-06-06 20:54:06

@Nesrin Kalender has joined the channel

Artan Prenaj (artan_p@outlook.com)
2024-06-12 20:52:50

@Artan Prenaj has joined the channel

Brian Harvey (brianh@barcoding.com)
2024-07-17 23:56:47

@Brian Harvey has joined the channel